We have a DFS share that redirects users to a EMC CIFS share. Several end users are unable to access it and get the following Kerberos Security warning:
The System Detected an attempt to compromise security
I believe it's because the Kerberos permitted clock skew on the DC's is set too low.
Where do I set this, or what other items may be the culprit?
Best Answer
Shane is right about the time skew, it is probably not your issue; the default setting is 5 minutes tolerance btw.
When talking about time-outs, be aware that the time-out value for a Kerberos v5 authentication operation is 30 seconds. This can be adjusted by the
KdcWaitTimevalue in the following key on the Domain Controller:Another issue (although uncommon in small and mid-sized forests), is the default token size limitation of 12 kilobytes. If the users token size exceeds 12K, you might also run into problems. Read more about the token size issue here
This is guesswork however, as your question doesn't really bring any valuable diagnostic information to the table