Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-0027: Clock synchronization

Authentication Service ,  

12 April,16 at 11:44 AM


Do the clocks have to be in sync and how does this affect logins.


The only time users will have problems authenticating is if the time on the client machine drifts more than 5 minutes from the time on the server machine.

Users who are currently logged in will remain logged in, but will no longer be able to authenticate to new services using their kerberos credentials. New users will not be able to log in until the clocks are synchronized between the client and the server. This is used to prevent replay attacks.

The adjoin command will perform this syncing and keeping both clocks in sync. However if you do not want our program to do that you can use the -t option for adjoin and for our adclient daemon will disable this by editing the /etc/init.d/centrifydc startup script and adding the option -t -1 to the adclient line. The " -t or --notime " is used to indicate that you do not want to update the local computer time. Under normal circumstances, the local computer time should be updated to be synchronized with the Kerberos Key Distribution Center (KDC) in Active Directory. If you use this option, some ticket authentications may fail.