Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN 3005 v4.0 and Kerberos


Has anybody tried to configure the VPN concentrator version 4.0 with kerberos authentication to a Microsoft active directory domain controller?

I think I passed the challenge to configure REALM correctly.

But I never pass authentication because of a clock error.

Does anybody know how to solve that problem?

Thanks Markus

New Member

Re: VPN 3005 v4.0 and Kerberos


By clock error, do you mean the concentrator time ??? Are you running NTP on the concentrator and is the concentrator time sync'd to within 5 minutes of the W2K KDC/DC ???

The Kerberos client time needs to be within 5 minutes of the KDC's.

Kerberos authentication to W2K on the VPN concentrator works fine for us...

Hope this helps...


New Member

Re: VPN 3005 v4.0 and Kerberos


Thanks for reply.

We do not use NTP but the time is exactly the same (about 1 second) and we are in the same time zone. Anyway it does not work.

The concentrator always brings a KDC clock is not sync. Maybe we have to trie it with NTP. But I don't think so.

Thanks a lot


New Member

Re: VPN 3005 v4.0 and Kerberos


NTP is not necessary as long as the clocks are within tolerance...

I'm not a Windows expert, but you may want to check the Kerberos pre-authentication settings, which I believe may use an encrypted timestamp.

Otherwise...I'm stumped ;-)


New Member

Re: VPN 3005 v4.0 and Kerberos

Yes, we are running it now.

We are using MS IAS (Radius) for all VPN authentication. Created the Secret key on both boxes and set the client name. In the groups you need to make it all or nothing. You can have a local group and a radius group, or the the Radius group will try to take the Group access Information and try to authenticate against it, thus leaving the connection never established. We set the group to Base Group to radius and it lets all users authenticate off of AD.

We are running a mixed bag. Most kerberos, but IT staff is using reverse encryption and all is working.

As far as the clos error. Active directory is the time server for al clients. Load Atomic Clock on the DC's and then tell the concentrator that one of the DC's is the NTP server. This should fix it as well as keep all your client machines up to date. Having a DC in Eastern time ad the concentrator in GMT will even mess it up, even though they have the same time they are really off.

Hope this helps.