Hi,I am having an issue with one of our servers: our Dev guys need to test one of their apps and as a result they need to change the system date back. They change it from the current date to 2010/01/01. Once they change the system date, it wont allow anyone to login to the server with their domain credentials. We have a Dev domain and a Backoffice domain. Some users try their dev credentials and they cant login and when they use their backoffice credentials it locks out their account. There was a trust relationship setup between the two domains by one of the previous guys that worked here.I was able to login with the local Admin and change the date back and everything seemed to work again. Server is running Windows Server 2008 Enterprise Edition.Can anyone assist please?ThanksMigs

Hi Migs,This is caused by Kerberos Authentication's Maximum lifetime for user ticket Kerberos policy. All tickets issued by the KDC have an expiration time. Thus, if a ticket is compromised, it cannot be used outside of a specified time range — usually short enough to make the risk of a replay attack minimal.For more information, you can refer to: Authentication Errors are Caused by Unsynchronized Clocks http://technet.microsoft.com/en-us/library/cc780011(WS.10).aspxRegards,Wilson Jia This posting is provided "AS IS" with no warranties, and confers no rights.

Hi Wilson,Thanks for the response.This definitely explains the issue but the problem that I am having is that the users are still not being authenticated. It does not allow them to log in at all until the system time/date changes back through the W32time service or if I change it back manually using the local Admin user.I didnt find any of the errors on the server described in the link. The only one that I found in the event log with some relevance was "The time service has set the time with offset 2332800 seconds."In the article it states "Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2", could this be different issue with Server 2008?RegardsMigs

Hi Migs,Thank you for your response.The article also applies to Windows Server 2008 as it still uses Kerberos Authentication.To narrow down the issue, please check the following information:1. After you use local administrator to change back the correct system time, can you use other domain account to login this Server?2. Had the Dev user accounts been locked out on the authenticed DC?3. If you can not login other domain users, please try the following command to reset secure channel.To determine who your secure channel is set up with, type the following at a command prompt: NLTEST /SC_QUERY:<DOMAIN_NAME_TO_CHECK> To reestablish a secure channel, use the parameter: NLTEST /SC_RESET:<DOMAIN_NAME_TO_RESET> 4. If the step 4 does not help, please try re-join this server into your domain and test the result.Regards,Wilson JiaThis posting is provided "AS IS" with no warranties, and confers no rights.

Hi Wilson,To answer your questions above:1. After changing the system date back to the correct date, all accounts are able to login.2. When the system changes to 2010/01/01 the dev accounts were not locked out but they were still not able to login. It was only the users on the backoffice domain that were locked out. The server that we are changing the system date on sits in the dev domain and there is a trust relationship setup between the backoffice and dev domains.I ran the NLTEST /SC_QUERY command on the dev server and it stated that it was connected to the dev domain.Should we change the system date on the dev DC so that all the servers in that domain get the same date?RegardsMigs

Hi Migs,Glad to know after you correct the system all accounts are able to login.Yes, you should to change the system date on the Dev so that all the servers in that domain get the same date.Regards,Wilson JiaThis posting is provided "AS IS" with no warranties, and confers no rights.