Here is a case we recently worked on about Kerberos authentication issue.
Symptoms:
Assume there is a web site which provides search functions under virtual directory with the Integrated Windows authentication. When clients use FQDN access the web site from out-of-domain, they have to click “OK” button three times on popup authentication windows to get the result grid back.
Analysis:
In IIS log, it records "401 1 2148074241" that indicates the handle specified is invalid. |
2009-04-15 00:30:26 W3SVC1 10.101.nn.nn GET /Portal/VD/Show.aspx - 80 - 10.1.19.53 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+InfoPath.1) 401 2 2148074254
In Security log, the system was receiving Event ID 537 log.
Event Type: Failure Audit
Event Source: Security
Event Category: (2)
Event ID: 537
Date: 4/15/2009
Time: 3:47:32 PM
User: NT AUTHORITY\SYSTEM
Computer: XXX
Description:
Logon Failure:
Reason: An error occurred during logon
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Status code: 0xC000006D
Substatus code: 0xC0000133
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 10.101.nn.nn
Source Port: 1310
Caller Process Name: %16
Generally, status code 0xC000006D means "STATUS_LOGON_FAILURE” and sub status code 0xC0000133 translate to “STATUS_TIME_DIFFERENCE_AT_DC”. The problem could be caused because there is a time difference (greater than 5 minutes) between the two computers.
In the network trace, we also can see
HTTP KRB Error: KRB5KRB_AP_ERR_SKEW (text/html) |
The KRB5KRB_AP_ERR_SKEW indicates clock skew too great.
Check the timestamp between client and server network traces to verify that there is 13 minutes difference.
Solution:
It is clear now that the time difference (>5 min) between client and server causes the Kerberos authentication issue. Change the client machine time to synchronize with IIS server and resolve the issue. Refer to this article:
Verifying Computer Settings for Troubleshooting Kerberos
http://technet.microsoft.com/en-us/library/cc787535.aspx
------------------------------------------------------------------
Make sure that the clocks are synchronized across the domain.
Many network services, including Kerberos authentication are dependent on time synchronization throughout the domain. You can manually synchronize a computer with the time on the domain.
To synchronize the computer's time with the current time on the domain
1. Click Start, and then click Run.
2. Type net time /domain /set, and then click OK.
-------------------------------------------------------------------
More information:
How to configure IIS to support both the Kerberos protocol and the NTLM protocol for network authentication
http://support.microsoft.com/kb/215383/
Regards,
Anik Shen
Referrence:
http://blogs.msdn.com/b/asiatech/archive/2009/04/27/kerberos-authentication-failed-due-to-time-skew.aspx
分享到:
相关推荐
it covers everything from basic installation to advanced topics like cross-realm authentication, defending against attacks on Kerberos, and troubleshooting. In addition to covering Microsoft's Active...
Kerberos认证机制,适用于初学者,基础
这是一个帮助程序,用于鱿鱼使用协商身份验证标签执行基于Kerberos的用户身份验证的帮助程序。 已通过IE7和Firefox测试
使用RMI和Java密码API为Java程序实现一个简单的Kerberos v5身份验证系统。 这不提供与任何其他Kerberos实现的连接(以便您可以获取用户列表),而仅提供一个独立的系统。
Kerberos 原理描述,具有实战意义。来源于网络。
Oracle Solaris 11.3 Managing Kerberos and Other Authentication Services-118
Oracle Solaris 11.2 Managing Kerberos and Other Authentication Services in Oracle Solaris 11.2-240
Kerberos
Kerberos的简单介绍 Kerberos Kerberos Kerberos Kerberos Kerberos Kerberos Kerberos Kerberos Kerberos Kerberos
Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. A free implementation of this protocol ...
用java语言实现的简单的kerberos,可以对客户端进行AS,tgs的认证
Kerberos协议主要用于计算机网络的身份鉴别(Authentication), 其特点是用户只需输入一次身份验证信息就可以凭借此验证获得的票据(ticket-granting ticket)访问多个服务,即SSO(Single Sign On)。由于在每个Client和...
kerberos认证hive连接代码,springmvc配置加上java触发认证kerberos认证
kerberos+hadoop搭建
flink写入带kerberos认证的kudu connector
这个里面是kafka配置kerberos的详细步骤,其方式也可以应用到kafka自带的认证体系
这是关于kerberos的包,包含内容:1,kerberos user,2,kerberos install,3,kerberos administator
kafka 配置 kerberos,设置 ACL权限, java 客户端连接。
从零学习Kerberos安全认证机制,并和Hadoop、YARN、HIVE进行集成,通过知识点 + 案例教学法帮助小白快速掌握Hadoop集成Kerberos安全技术。 课程亮点 1,专项攻破Hadoop安全配置。 2,生动形象,化繁为简,讲解通俗...
本文档记录了为hadoop的hdfs配置kerberos的过程,hadoop用的版本是2.4.1。其中有一些作者的个人经验,希望对读者有帮助。