Kerberos V5 Maximum Tolerance?

  • Thread starter Thread starter minipower
  • Start date Start date
M

minipower

Hello!

I have big problem wiht Kerberos V5 feature called "Maximum tolerance for
computer clock
synchronization". I have win2003 domain. I already tryed changing local
group policy and
domain policy (Kerberos Policy). Also I tryed registry key -
HKLM\System\CCS\Control\Lsa\Kerberos\Parameters (dword "SkewTime"),
but nothing help. I simple dont need this time-difference checking, I need
machines to be different times. How I can disable this Kerberos feature in
Win2003?

Thanks!
 
minipower said:
Hello!

I have big problem wiht Kerberos V5 feature called "Maximum tolerance for
computer clock
synchronization". I have win2003 domain. I already tryed changing local
group policy and
domain policy (Kerberos Policy). Also I tryed registry key -
HKLM\System\CCS\Control\Lsa\Kerberos\Parameters (dword "SkewTime"),
but nothing help. I simple dont need this time-difference checking, I need
machines to be different times. How I can disable this Kerberos feature in
Win2003?
Click to expand...

Why would you ever want any of your computers to have
different time that the current accurate time?

Are you perhaps unaware that 9:00 AM Easter is the same
as 8:00 AM Central, since the machines can show the
local time based on the zone but maintain system time as
Universal Time (aka Greenwich Mean Time or GMT)?

As long as all of the machines are on Earth, they almost
certainly should use the same system time.
 
It isn't a Windows thing, it is a kerberos thing. You need the machines to be
synced. All you can do is modify how out of sync they can be through Domain Policy.

Why do you need them synced? Because without syncing and maintain of a tight
time frame someone could sniff your network and grab the kerberos packets when
you logon as an admin, then replay them later and become you for all intents and
purposed on the network.

joe
 
My understanding of maximum Tolerance is that I can specify the maximum time
my workstations can be off from the domain controller. We recently upgraded
to Active Directory and In my environment I have a need to be off by up to 24
hours. We are a cruiseline and need to change time as we travel from timezone
to timezone. I know your first incline will be to ask "WHY change time and
not timezozne?" But the truth is that we do need to change time. It becomes
quite complicated but the general reason is because Outlook Calendar skews
appointments when you change only the time zone, our ship staff needs to work
on local time always and therefore a time change is a necessity. The child
domain controllers on the ship are on "correct' time as they are child
domains of a forest that resides on land. Only the workstations need to be
on "local ship time" So my problem is that when the ship is on a date in the
past compared to the domain controller the maximum tolerance adjustment seems
to work fine, but when the ship travels to a time that is in the future of
the domain controller then the maximum tolerancce setting is ignored and
therefore users are unable to authenticate to the domain because of the time
difference. What I really need is to find a way to disable Kerberos all
together so i can change time on my workstations as i please. Security is
not a priority for me here as my workstations and domain controllers are not
accesible from the outside world. This is an isolated network and I can't
stress enough that SECURITY is not my concern. When we had our NT Server
environement, kerberos did not exist and for the past 10 years we changed
time on our ships and never had a problem. We need this kerberos feature
disabled, If you know if this is possible please advise. We are at a critical
state here
Thank you very much:
 
Look at your domain kerberos policy settings in the default domain gpo. You can
set the tolerance.
 
Back
Top