security tab freezes (on server) when adding a user

By ocarol ·
i'm VPN into my server and trying to add a user in the security tab to have access to a folder and when either click on OK/Apply, it would eat up the CPU and never completes the process. it hangs until i close the window.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Could this be why?. read more here..

Before I Begin

Before I get started, I just want to quickly mention that in order to provide as much useful information as possible, I am going to avoid talking about the most obvious causes of logon failures. This article assumes that before you begin the troubleshooting process, you have checked to make sure that the user is entering the correct password, the user's password has not expired, and that there are no basic communications problems between the workstation and the domain controller.
The System Clock

It may seem odd, but a workstation's clock can actually be the cause of a logon failure. If the clock is more than five minutes different from the time on your domain controllers, then the logon will fail.

In case you are wondering, the reason for this has to do with the Kerberos authentication protocol. At the beginning of the authentication process, the user enters their username and password. The workstation then sends a Kerberos Authentication Server Request to a the Key Distribution Server. This Kerberos Authentication Server Request contains several different pieces of information, including:

* The user?s identification
* The name of the service that the user is requesting (in this case it?s the Ticket Getting Service)
* An authenticator that is encrypted with the user?s master key. The user?s master key is derived by encrypting the user?s password using a one way function.

When the Key Distribution Server receives the request, it looks up the user?s Active Directory account. It then calculates the user?s master key and uses it to decrypt the authenticator (also known as pre authentication data).

When the user?s workstation created the authenticator, it placed a time stamp within the encrypted file. Once the Key Distribution Server decrypts this file, it compares the time stamp to the current time on its own clock. If the time stamp and the current time are within five minutes of each other, then the Kerberos Authentication Server Request is assumed to be valid, and the authentication process continues. If the time stamp and the current time are more than five minutes apart, then Kerberos assumes that the request is a replay of a previously captured packet, and therefore denies the logon request. When this happens, the following message is displayed:

The system cannot log you on due to the following error: There is a time difference between the client and server. Please try again or consult your system administrator.

The solution to the problem is simple; just set the workstation?s clock to match the domain controller?s clock.
More here:

Please post back if you have any more problems or questions.

Related Discussions

Related Forums