You encounter a login failure with a message that says, "Your system's internal clock is not synchronized with your authentication server" or "KRB5KRB_AP_ERR_SKEW" when your system clock needs to be synchronized with Active Directory.
To synchronize your system clock with Active Directory
You encounter a login failure with a message that says, "The authentication server policy does not allow you to log in at this time.", "KRB5KDC_ERR_POLICY"or "KRB5KDC_ERR_CLIENT_REVOKED" when a user's account has been restricted, locked out, or expired. This message is also displayed when a user, whose account is marked "Smart card required for login", attempts to log in with a password.
Check the user's account settings in Active Directory. For more information, see Check login.
You encounter a login failure with a message that says, "Your certificate cannot be verified by the authentication server" or "KRB5_KDC_ERROR_CANT_VERIFY_CERTIFICATE" when either Safeguard Authentication Services for Smart Cards was unable to automatically bootstrap the trusted certificates; or, the CA certificate that was used to issue that certificate is not in NtAuthCertificatescontainer in Active Directory. Generally, this error occurs when Active Directory is verifying the user's certificate, or when Safeguard Authentication Services for Smart Cards is verifying the KDC certificate returned by Active Directory.
For more information, see Bootstrapping trusted certificates.
An error displays, similar to the following:
KRB5KDC_ERR_PADATA_TYPE_NOSUPP (-1765328368): KDC has no support for padata type
This error occurs if the domain controller does not have a Domain Controller Authentication Certificate.
© ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center