Preetam wrote: >> Does MS cache store the time offsets so that the >> client can synch time with kdc's time as MIT client >> does.
To which Jeffrey replied: > I do not believe so. All Windows machines that support > Kerberos also support time synchronization via NTP and > all workstations in a domain synchronize the machine time > to the domain controllers during machine startup. Therefore, > there would be little need for them to do so. I was trying to figure out how Windows clients and servers deal with clock skew a little while back. My memory of the details might be a little off, but the gist should be correct: >From my observations, the MS SSPI handles time skew between a client and a >server by using the stime/susec in the KRB_ERROR response to continue the SSPI >exchange w/an updated time in the authenticator. In the scenario I was >observing, it looked like that, on a KRB_AP_ERR_SKEW, the client continued the >re-issued the KRB_AP_REQ with a new authenticator using the KRB_ERROR's >stime/susec in the authenticator's ctime/cusec. - Danilo ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
