Changing the System Time Can Lock You Out of the Network!

Brian St. Marie – Sr. Systems Engineer

A user today was completely unable to log onto her computer after a crash, receiving the following message:

“The current time on this computer and the current time on the network are different.”

This is actually a pretty common issue, but completely crippling for most users.  No matter what they might try to do, they cannot log into their computer and have network access.  This occurs whenever the workstation and the server have a time difference of more than 5 minutes.  The server and workstation stamp all Kerberos authentication tokens with the current time, and if their time stamps are too far apart, the server will not allow network access.  This is primarily to prevent replay attacks.  Windows typically avoids this issue by synchronizing the time between the workstation and the server each time a user logs on.  However, when the server time is incorrect, users often take it upon themselves to correct the time on their workstations manually.  Once this manual correction goes past 5 minutes, they’ll find themselves locked out of the network after their next reboot.

The simplest solution is to simply log into the computer as the network administrator and manually change the time to within 5 minutes of the server.  The Domain Administrator is the only account allowed to log into a network workstation in this situation.