I have ASP.NET 2.0 site configured to perform Windows Integrated Security using Kerberos delegation. The servers including DC are running on Windows 2003 and the delegation is raised to Windows 2003 level.
BTW, all servers are set to EST
The authentication work well and suddenly server writes a LsaSrv warning event (event id 40960) in System log complaining about time difference between the servers. During this time the clients get a 401.2 message for all requests. After 20-30 mins, the auth starts working "magically"
I ran a wireshark and fiddler trace and found that the timestamp in the response header is in GMT even though the server is configured in EST. I'm not sure how this is picked up. any ideas?
Any other suggestions are much appreciated.
Best Answer
GMT and EST is not likely the problem.
Kerberos requires that all participants have a clock that is within 5 minutes of each other. I suspect you need to ensure that the servers and clients all have a time that is within that window.
I use NTP, personally, even on windows. There is probably a "windows way" though.