Windows 10: Windows 11 authentication with kerberos trust: date/time difference between client and server

We operate a kerberos trust between our domain controllers and a Linux-based kerberos KDC for user authentication; users in Active Directory have an altSecurityIdentity field set pointing to "Kerberos:<username>@<REALM>" to authenticate user <username> via the kerberos KDC. We have a significant Linux install base, and this allows us to keep all password authentication in one source.Windows 11 clients, once joined to our domain, report "There is a time and/or date difference between the client and server." Windows 10 clients and Server 2016/2019/2022 systems authenticate as e

:)

 

Released: Microsoft Kerberos Configuration Manager for SQL Server v3.1

Source: Released: Microsoft Kerberos Configuration Manager for SQL Server v3.1 | SQL Server Release Services

 

Radius server + WLC and Client Certificate Authentication

Hello people,

We have an issue with our radius server.

I will explain what is our goal and what configuration we have so far:

Our goal is to authenticate clients in the domain using WLC and Client Certificate Authentication.

Each client in our domain has a unique personal certificate.

The idea is when an employee opens his PC automatically connects to the specified by the GPO recommended network by using the certificate and not the username and password.



Currently, we configured the WLC Cisco controller to receive the client certificate, authenticate it and provide the IP address(of course if the policies are validated).

Afterward that the WLC controller has to send the request to the radius server. The radius should check if the certificate is valid (not expired) and not included in the revocation list.

Here our issue came. It seems that the radius cannot access the revocation list and cannot check if the certificate is revoked.

We validated that by disabling the revocation list check in the Radius server registry settings.

If we set it to ignore the revocation list check, the authentication succeeds, and the client is authenticated successfully.

The thing is that this way we lower the security of the connection significantly and we would like to make sure the certificate is validated against the revocation list.

At the same time, there are no issues in the connection between the RADIUS server and the server where the revocation list is stored/published.



Could you please let me know if there is any specific configuration that should be made in order for the radius to be able to check the status of the authenticated certificate in the revocation list?

Is there any configuration guide that we have to follow in order to implement the necessary configuration in the most proper way?

 

Server 2019 DC - Kerberos RC4

We have recently promoted a 2019 Server to be a domain controller but it won't authenticate access to our EMC VNX datastore which we believe only supports RC4 Kerberos -
is there anyway to enable RC4 Kerberos in Server 2019 as it appears to have been removed?

(Using the IIS Crypto tool we can see the 2019 server does not have any RC4 ciphers)

Access to the EMC VNX datastore works from 2012 and 2016 DC's.

Access from the 2019 server to all other devices on the network also work (we can see these using AES encryption via the klist utility)

I can see no documentation suggesting any changes around Kerberos in server 2019