Currently trying to implement a simple KDC using the Kerberos.Net nuget..
I have successfully gotten a token via the bruce tools that follow along, but if I try via java's kinit or MIT Kerberos client windows I get: (NOTICE i get same error with the kerberos.net samples)
kinit: ASN.1 failed call to system time library while getting initial credentials
If I try from a Ubunto 20.04 machine, with knit (installed krb5-client), I get the following error.:
Kerberos.NET.KerberosValidationException: Timestamp window is greater than allowed skew. Start: 7/14/2042 1:04:05 AM +00:00; End: 10/15/2021 12:13:14 PM +00:00; Skew: 00:05:00 at Kerberos.NET.Server.PaDataTimestampHandler.Validate(KrbKdcReq asReq, PreAuthenticationContext preauth) in C:\Kerberos.NET-develop\Kerberos.NET\Server\PaDataTimestampHandler.cs:line 60
Setup running is a:
AD-DC windows serv. 2019 Windows 10 client (Joined above domain) Console app (KDC) on a second windows 10 client Ubuntu 20.04
Goal have own kdc be trusted by AD-DC, and allow login.
Well that's a new one (I'm the project maintainer). Basically what's happening is you've somehow sent a request where the timestamp is the year 2042.
The KDC code knows the current time is
10/15/2021 12:13:14 PM(I guess you typed a random value there 12-13-14?), and it's expecting a value sent by the client to be that time +/- the skew of five minutes. Since 2042 falls outsidenow +/- 5 minutesit's going to fail the request.I don't have much more guidance other than the client time is way out of whack and needs to be better aligned with the KDC's time source.