cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
33535
Views
0
Helpful
8
Replies

"There is a time difference between the client and the server"

pbarman
Level 5
Level 5

Unity 4.0.3

All was working fine, and suddenly I am not able to log into Unity server using any domain account. When I enter the username/password/domain, I get this error message:

************************************************

The system can not log you on due to the following error:

There is a time difference between the client and the server.

Please try again or consult your system administrator.

**************************************************

I can use the same domain account (unityinstall) and log into other machines. I can log into the Unity machine using a local account. There is no time difference between the DC and Unity server.

Need help,

Thanks,

Partha

1 Accepted Solution

Accepted Solutions

Hin Lee
Cisco Employee
Cisco Employee

log on to your computer LOCALLY using an account with administrative privileges

At the command prompt type the following:

NET TIME /DOMAIN:name /SET

Found this on MS site:

Cannot Log On If Time and Date Are Not Synchronized

http://support.microsoft.com/default.aspx?scid=kb;en-us;232386&Product=win2000

View solution in original post

8 Replies 8

Hin Lee
Cisco Employee
Cisco Employee

log on to your computer LOCALLY using an account with administrative privileges

At the command prompt type the following:

NET TIME /DOMAIN:name /SET

Found this on MS site:

Cannot Log On If Time and Date Are Not Synchronized

http://support.microsoft.com/default.aspx?scid=kb;en-us;232386&Product=win2000

You rock! It worked !!!

I'm curious -- why did this have any effect if in fact there was no time difference between the Unity box and the DC?

If the client computer's time or date is not synchronized with the authenticating domain controller, Kerberos validation does not succeed.

This occurs because of the variation in the time stamps between the AS_Req and AS_reply between the client and server.

I know that, and I know how Kerberos works. But in the original message, pbarman said "There is no time difference between the DC and Unity server." "No time difference" implies synchronization, doesn't it?

Yes indeed there was no time difference. I did confirm that the minutes were exactly matching and to the best of my knowledge the seconds were too. Not sure why this would still happen ???

I'm more than just mildly curious about this -- we saw the same problem when we were running a Windows 2000 AD domain. Even spent $99 on a Microsoft case to try to resolve it. Even though we provided network monitor traces that showed the times agreed to within a few milliseconds, Kerberos complained about time synchronization, and Microsoft just gave up. We bumped the Kerberos tolerance up to 15 minutes, which minimized the problem, but ultimately just lived with it until we upgraded to Windows 2003, at which time the problem went away.

I just wanted to add to this as this is what did the fix for me.

This will be for a Windows Domain environment.

Check to see if you have a group policy in place to sync the time of your clients and servers. If you don't have this setup, you'll want to enable it.

Open Group Policy Management Editor > Comp config > Admin Temp >

System > Windows Time Serve > Time Providers

Enable "Configure Windows NTP Client" and add the NTPServer in your domain. This will likely be your primary DC. Then enable "Enable Windows NTP Client" and "Enable Windows NTP Server."

 

Once those are enabled. We'll want to enable Windows Time service on all the clients.
Open Group Policy Management > Comp Config > Preferences > Control Panel Settings > Services

Double Click Services > Right click and select New Service.

Set Startup to Automatic
In Service Name search for "Windows Time", select it.

In Service Action Select "Start Service." 

If you click on the other tabs you can set this restart service if it fails, ensure that the GPO only makes this change once, etc..

 

Once, that is done there are a few things you can do to update the client's PC.

 

Run GPupdate /force

Check and ensure Windows Time service is enabled and set to automatic.

 

W32tm /stripchart /computer:RandyLepr-E7440 /samples:5

 

Net time \\"DomainController FQDN or IPADDRESS of Time Server"

Net time /"Domain"

W32tm /config /manualpeerlist:"DomainController FQDN or IPADDRESS of Time Server" /syncfromflags: manual /reliable:yes /update

 

W32tm.exe /resync

w32tm /query /status

 

Hopefully that last /status command will have the client sync'ed up and within 0.00001 seconds of your Time Server.