VPN Client Authentication Issues Because of 'The time has shifted back' Error

Overview

This article provides information on how to resolve the Kerio VPN client Failed authentication issue.

The following errors are shown in the Warning logs:

[15/Apr/2019 09:31:42] The time has shifted back (567 s).
[16/Apr/2019 09:31:44] The time has shifted back (568 s).

The Security logs would show the following entries:

[16/Apr/2019 05:59:21] Authentication: VPN Client: Client: x.x.x.x: Invalid password for NT/Kerberos user username1
[16/Apr/2019 09:25:17] Authentication: VPN Client: Client: y.y.y.y: Invalid password for NT/Kerberos user username2

Prerequisites

Kerio Control connected to Directory Service

Root Cause

The time is not synchronized correctly between Kerio Control and AD/OD servers, which leads to VPN client authentication failures. The timestamps in Kerio VPN client, Kerio Control server, and Directory server are different (out of sync).

Resolution

Log in to the Kerio Control Webadmin.
Navigate to Configuration > Advanced Options > System Configuration, and modify the NTP server settings to direct to the Trusted NTP servers.

Recommended servers are:
- 0.kerio.pool.ntp.org
- 1.kerio.pool.ntp.org
- 2.kerio.pool.ntp.org
- 3.kerio.pool.ntp.org

Note: The Directory Server Time settings should be synchronized to the same NTP servers.

Choose files or drag and drop files

Tags:

Was this article helpful?

Yes

Priyanka Bhotika
Posted
Updated

Comments

Please sign in to comment