Event ID 5 — Kerberos Client Configuration

Applies To: Windows Server 2008 R2

If the client computers are joined to an Active Directory domain, the Kerberos client is configured to request ticket-granting tickets (TGTs) from the Kerberos Key Distribution Center (KDC) automatically. On successful receipt of the ticket, the Kerberos client caches the ticket on the local computer.

Event Details

Product: Windows Operating System
ID: 5
Source: Microsoft-Windows-Security-Kerberos
Version: 6.1
Symbolic Name: KERBEVT_KRB_AP_ERR_TKT_NYV
Message: The kerberos client received a KRB_AP_ERR_TKT_NYV error from the server %1. This indicates that the ticket used against that server is not yet valid (in relationship to that server time). Contact your system administrator to make sure the client and server times are in sync, and that the KDC in realm %2 is in sync with the KDC in the client realm.

Resolve

Synchronize time on Kerberos client

To resolve this issue, synchronize with time on the Kerberos client with the KDC.

To perform this procedure, you must be a member of local Administrators group, or you must have been delegated the appropriate authority.

To synchronize the time on the Kerberos client:

  1.  Open an elevated command prompt. To open an elevated command prompt, click Start, point to All Programs, and then point to Accessories.
  2. Right-click Command Prompt, and then click Run as administrator.
  3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  4. Type net time /set /yes, and then press ENTER.

Verify

To verify that the Kerberos client is correctly configured, you should ensure that a Kerberos ticket was received from the Key Distribution Center (KDC) and cached on the local computer. You can view cached Kerberos tickets on the local computer by using the Klist command-line tool.

Note: Klist.exe is not included with Windows Vista, Windows Server 2003, Windows XP, or Windows 2000. You must download and install the Windows Server Resource Kit before you can use Klist.exe.

To view cached Kerberos tickets by using Klist:

  1. Log on to the Kerberos client computer.
  2. Click Start, point to All Programs, click Accessories, and then click Command Prompt.
  3. Type klist tickets, and then press ENTER.
  4. Verify that a cached Kerberos ticket is available.
    • Ensure that the Client field displays the client on which you are running Klist.
    • Ensure that the Server field displays the domain in which you are connecting.
  5. Close the command prompt.

Kerberos Client Configuration

Core Security