Overview
This article describes the resolution when the domain users can not log in to their accounts, and security logs show the following:
.... Authentication failed for user <username>. Attempt from IP address <IP address>. External authentication service rejected authentication due to invalid password or authentication restriction.
Debug logs with enabled ‘User Authentication’ show entries such as:
.... Clock skew too great. error code 0x96c73a25 (-1765328347)
Root Cause
The clock offset between Kerio and Active Directory (AD) is the root cause of the Kerberos authentication issue. Because Kerberos is very time-sensitive, you should configure your client machines to use one of your domain controllers as a Network Time Protocol (NTP) server.
Process
- On domain controller (AD), open Group Policy Management Editor.
- Navigate to Kerberos Policy and open Maximum tolerance for computer clock synchronization Properties. If needed, decrease the variable to a lower value, i.e., 2 minutes instead of 3.
- On Linux, check Timesync daemon (
timesyncd.conf).
[Time]
NTP=domaincontroller.pithoslabs.com
FallbackNTP=ntp.ubuntu.com pool.ntp.org
Useful Links
Kerberos authentication: clock skew too great
Clock skew vs. clock offset in the context of clock synchronization network protocols
Configure Kerberos clock synchronization tolerance for Windows Servers
Related Articles
Kerberos External Authentication Service Rejected in Kerio Connect
Connecting Kerio Connect to Directory Services
Configuring krb5.conf File on Linux
Confirmation
The domain users can log in to their accounts.