Microsoft KB Archive/938454

= Error message when you try to log on to a Windows Vista-based client computer across a domain trust: &quot;There is a time and/or date difference between the client and server&quot; =

Article ID: 938454

Article Last Modified on 7/6/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Web Edition
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Windows Vista Business
 * Windows Vista Enterprise
 * Windows Vista Ultimate

-



SYMPTOMS
Consider the following scenario. You have a domain on which user accounts reside and another domain on which computer accounts reside. You have established a trust relationship between these domains. However, when you try to log on to a Windows Vista-based client computer across the trust, the logon process fails. Additionally, you receive an error message that contains a white “X” inside a red circle. The text of this error message resembles the following:

There is a time and/or date difference between the client and server.

Note This issue occurs even though there is no significant time difference between the client computer and the server. This issue occurs only on Windows Vista-based client computers.



CAUSE
This issue occurs on Windows Vista-based client computers if the following conditions are true:  The Do not require Kerberos preauthentication check box is selected for the user account. The domain controller that manages the Active Directory user accounts contains the following version of the Kdcsvc.dll file or an earlier version:

kdsvc 5.2.3790.1830 (srv03_sp1_rtm.050324-1447)





RESOLUTION
To resolve this issue, install Microsoft Windows Server 2003 Service Pack 2 (SP2) on the domain controller that manages the Active Directory user accounts. For more information about how to obtain the latest service pack for Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base:

889100 How to obtain the latest service pack for Windows Server 2003



WORKAROUND
To work around this issue, click to clear the Do not require Kerberos preauthentication check box in the  Properties dialog box on the domain controller. To do this, follow these steps:
 * 1) In the Active Directory Users and Computers snap-in, expand Users.
 * 2) Right-click the affected user’s account, and then click Properties.
 * 3) On the Account tab, click to clear the Do not require Kerberos preauthentication check box in the Account options list, click Apply, and then click OK.
 * 4) Close the Active Directory Users and Computers snap-in.
 * 5) Verify that the affected user can successfully log on to the domain.

Keywords: kberrmsg kbtshoot kbprb kbexpertiseadvanced KB938454

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.