Cannot login to domain

  • dafunk
  • Student
  • Student
  • dafunk
  • Posts: 87

Post 3+ Months Ago

Hello,
Sometimes when I login to WindowsXP at my school computer lab the PC will not login. It will give me a message that says
"The local PC clock and domain clock are not the same. contact your network administrator. "

If I unplug the network jack from the back of the PC when I login, It will allow me to login with no problem. all I got to do is plug the jack back in and wallah!! I am in.
Why does it do this?
Does it have to do with "cached credentials". I should mention the password is blank.(maybe this has somthing to do with it?)
Could someone please explain why this happens?
Thanks in advance
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • grinch2171
  • Moderator
  • Genius
  • User avatar
  • Posts: 6809
  • Loc: Martinsburg, WV

Post 3+ Months Ago

It has to do with the time on the Domain Controller and the time on the XP machine being out of tolerance.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

What ^^he^^ said.

Quote:
Maximum Tolerance For Computer Clock Synchronization: The Maximum tolerance for computer clock synchronization is one of the few Kerberos policies that may need to be changed. By default, computers in the domain must be synchronized within five minutes of each other. If the client clock and the server clock are not synchronized closely enough, a client ticket is not issued. The default value is 5 minutes, and settings are in minutes. If there are remote users that log on to the domain without synchronizing their clock to the network timeserver, it may be necessary to adjust this value. However, changing this value to provide a wider margin can leave the system open to replay attacks. Therefore the default must be maintained for the Evaluated Configuration.

http://www.microsoft.com/technet/securi ... adm09.mspx


You need to reset your XP computer clock to within 5 minutes of the Domain Controller clock. It's not likely that your domain admin is going to change the Kerberos policy for the domain.
  • dafunk
  • Student
  • Student
  • dafunk
  • Posts: 87

Post 3+ Months Ago

Thanks for the reply's :D

I understand the clock sycronization, but I still am not clear about a few other things.
Quote:
If the client clock and the server clock are not synchronized closely enough, a client ticket is not issued

How am i able to logon when I unplug the network cable? what is authenticating me.
Is it "cached credentials" or is it local? I don't think it's local PC policy i'm still allowed to see the network???:scratchhead:

From Microsoft
Quote:
Notification of logon using cached domain credentials
When you try to log on to a domain from a Windows-based client computer, and a domain controller is unavailable, you do not receive an error message. Therefore, you may not notice that you logged in with cached domain credentials
.

Doesn't cached credetials defeat the purpose of authentication?
  • grinch2171
  • Moderator
  • Genius
  • User avatar
  • Posts: 6809
  • Loc: Martinsburg, WV

Post 3+ Months Ago

When you unplug the network cable you are more than likely using cached credentials. Also without the network cable the PC has no way of knowing it isn't synced with the domain controller as far as time goes. In a domain environment the PC gets its time from the domain controller.

Once logged in plug the network cable back in and open a command prompt and type in w32tm /resync and that should fix the time issue.

[EDIT] As far as cached credentials defeating the purpose on authentication, yes and no. Say you are a laptop user and you take your laptop home with you. At home you do not have a domain controller to authenticate to but you still need to login. Also, what if there was a network outage and you still needed to do work that didn't require network access? Cached credentials can be disabled or the amount of logins can be changed, I think default is 10.
  • dafunk
  • Student
  • Student
  • dafunk
  • Posts: 87

Post 3+ Months Ago

Thanks for the info :beerchug:

Is there a way to login to the local machine, or on a domian are accounts only allowed to login to the dc?
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

At the login, choose Options. You'll get a dropdown window and you can choose from the domain or the local computer. However, you cannot login to the local computer with your domain account. An administrator with rights to the local computer has to set up local user accounts first.

//remember a local account is a completely separate profile from your domain account. You will not have any access to any local files or network drives associated with your domain account. That in essence, as grinch noted, is a prime reason for cached credentials. So you can continue to work "offline" or remotely and still maintain access to your files.
  • grinch2171
  • Moderator
  • Genius
  • User avatar
  • Posts: 6809
  • Loc: Martinsburg, WV

Post 3+ Months Ago

On a domain joined PC you can logon to a local account but you will not be authenticated to the domain and access to domain resources will still require you to enter in your domain credentials. However, the only local account is usually the admin account. You could ask your sysadmin to create a local user account for you to use in situations where you don't need domain resources but if there is not a need for it he/she would probably tell you no, at least I would.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

great minds think alike at the same time grinch *wink
  • dafunk
  • Student
  • Student
  • dafunk
  • Posts: 87

Post 3+ Months Ago

You guys are two great minds!
At login I just tried the local computer from the options and a message said
"The sytem could not log you on. Make sure your user name and domain are correct."

Quote:
You will not have any access to any local files or network drives associated with your domain account. That in essence, as grinch noted, is a prime reason for cached credentials.

Not even local files! I understand network drives why not local files if you're on the local account?
Sorry about all the questions.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

Because it's a different profile and unless your local user account is an Administrator account you will not be able to access any other profile than your own local one. Which means all the files in your My Documents folder/ Desktop, etc, associated with your domain account will be inaccessible.
  • grinch2171
  • Moderator
  • Genius
  • User avatar
  • Posts: 6809
  • Loc: Martinsburg, WV

Post 3+ Months Ago

You'll have access to installed programs but anything you saved under your domain account like word documents or pdf's will not be available to you. And of course e-mail if you use Outlook.
  • grinch2171
  • Moderator
  • Genius
  • User avatar
  • Posts: 6809
  • Loc: Martinsburg, WV

Post 3+ Months Ago

We need to stop this ATNO ;)

Post Information

  • Total Posts in this topic: 13 posts
  • Users browsing this forum: No registered users and 108 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
cron
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.