MS cache format
Danilo Almeida
dalmeida at centeris.com
Fri Sep 8 00:33:19 EDT 2006
Preetam wrote:
>> Does MS cache store the time offsets so that the
>> client can synch time with kdc's time as MIT client
>> does.
To which Jeffrey replied:
> I do not believe so. All Windows machines that support
> Kerberos also support time synchronization via NTP and
> all workstations in a domain synchronize the machine time
> to the domain controllers during machine startup. Therefore,
> there would be little need for them to do so.
I was trying to figure out how Windows clients and servers deal with clock skew a little while back. My memory of the details might be a little off, but the gist should be correct:
>From my observations, the MS SSPI handles time skew between a client and a server by using the stime/susec in the KRB_ERROR response to continue the SSPI exchange w/an updated time in the authenticator. In the scenario I was observing, it looked like that, on a KRB_AP_ERR_SKEW, the client continued the re-issued the KRB_AP_REQ with a new authenticator using the KRB_ERROR's stime/susec in the authenticator's ctime/cusec.
- Danilo
More information about the Kerberos
mailing list