[thelist] IIS logging local time vs GMT

Ken Schaefer ken at adOpenStatic.com
Thu Apr 22 09:16:38 CDT 2004


----- Original Message ----- 
From: "Joshua Olson" <joshua at waetech.com>
To: <thelist at lists.evolt.org>
Sent: Thursday, April 22, 2004 11:33 PM
Subject: RE: [thelist] IIS logging local time vs GMT


: > -----Original Message-----
: > From: Ken Schaefer
: > Sent: Thursday, April 22, 2004 8:09 AM
: >
: > One implication: If your server is part of a domain that uses Kerberos
: > Authentication (either a Windows Domain, or any other MIT
implementation)
: > you will break authentication unless you set the entire
: > domain/realm to GMT
: > (so not just the webserver, but every client machine, and every other
: > server).
:
: Good point.  I knew there would be some sort of fundamental side-effect.
: :-)  I think you just solved a problem I had about 6 months ago with a
: client that one day cleared itself up and nobody knows why.  My new theory
: is that the operator checked the clock over the fall-back for DST and
: noticed the timezone discrepancy.  Once corrected things started working
: better.
:
: <><><><><><><><><><>
: Joshua Olson

Possibly. When connecting to a service, the client encrypts a timestamp with
the session key and sends it to the service. The service decrypts the
timestamp and compares it to the current time on the server. If they not
within a certain tolerance (usually a few minutes difference max),
authentication will fail. It's a little more complicated (there are a few
other bits of information that also pass between KDC, client and server),
but the bit above explains why the clocks need to be in synch (after
adjusting for a GMT offset). So you can't have a server set to GMT (and
12:00 midnight), and a bunch of other servers at GMT +/-X and also at 12:00
midnight. They'd all need to be in the same timezone if the time is set to
the local time.

Cheers
Ken



More information about the thelist mailing list