Saturday Link Roundup–Group Policy, Kerberos, BranchCache

grouppolicy_thumb.jpgGroup Policy

Kerberos

BranchCache

What happens if my Windows Domain time clock is fast …

… and I want to change it back?

It depends on the operating system.

The latest documentation from Microsoft states

MaxAllowedPhaseOffset

Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config

Version
Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2

This entry specifies the maximum offset (in seconds) for which W32Time attempts to adjust the computer clock by using the clock rate. When the offset exceeds this rate, W32Time sets the computer clock directly. The default value for domain members is 300. The default value for stand-alone clients and servers is 1. …

The article goes on to show you, with a formula, how to calculate what will happen if you change your time clock.

How Windows 2000 did it
clip_image001

References

400 Bad Request and Internet Explorer.

Bad RequestThe customer reported that they were unable to access our company intranet site.  They were getting an "400 Bad Request" error from Internet Explorer.

So what did I do?  I picked up the phone and asked our "Web Admin" chap,
"What have you done to our poor customer".

‘Nothing Wisefaq, but here’s the answer to the problem:
The customer is a member of 140+ Active Directory Groups, and this is causing the Kerberos token to be far too long for our Apache Web Server to authenticate.’

Once I knew that, I was able to find lots of answers to the problem.  Here are some of them:

  1. 400 Bad Request (Header Field Too Long) when using Kerberos authentication
  2. Apache Bad Request “Size of a request header field exceeds server limit” with Kerberos SSO
  3. New resolution for problems with Kerberos authentication when users belong to many groups
    Number 3 was the crux of the problem, “when users belong to many groups”.  We took the easy way out, and reduced the number of AD Groups the customer was a member of.

Bonus information
Not only was Internet Explorer broken, but any system which used Kerberos, such as our email and document management system.
140+ Active Directory Groups, which were direct membership.  I suspect there are some additional nested group memberships in there too.