[17060] in Kerberos-V5-bugs
[krbdev.mit.edu #9188] Windows timezone handling in
daemon@ATHENA.MIT.EDU (Crowston, Robert via RT)
Mon Nov 3 11:06:25 2025
From: "Crowston, Robert via RT" <rt-comment@krbdev.mit.edu>
In-Reply-To: <LO4P265MB6351470C2156C6873D282AE4F2C7A@LO4P265MB6351.GBRP265.PROD.OUTLOOK.COM>
Message-ID: <rt-4.4.3-2-4020076-1762185981-32.9188-4-0@mit.edu>
To: "AdminCc of krbdev.mit.edu Ticket #9188":;
Date: Mon, 03 Nov 2025 11:06:21 -0500
MIME-Version: 1.0
Reply-To: rt-comment@krbdev.mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
Mon Nov 03 11:06:20 2025: Request 9188 was acted upon.
Transaction: Ticket created by Robert.Crowston@gs.com
Queue: krb5
Subject: Windows timezone handling in FileTimeToUnixTime() may cause valid MSLSA tickets to appear not yet valid
Owner: Nobody
Requestors: Robert.Crowston@gs.com
Status: new
Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=9188 >
>Originator: Robert H Crowston
>Organization:
Goldman Sachs
>Confidential: no
>Synopsis: Windows timezone handling in FileTimeToUnixTime() may cause valid MSLSA tickets to appear not yet valid
>Severity: serious
>Priority: high
>Category: krb5-clients
>Class: sw-bug
>Release: 4.1 (krb5 for Windows)
>Environment:
Windows 10
> Description:
We have identified a timezone bug in FileTimeToUnixTime() in krb5/src/lib/krb5/ccache/cc_mslsa.c. The bug causes ticket timestamps in the Microsoft Windows MSLSA cache to be seen by krb5 as if offset by several hours. Depending on the offset and realm policy, krb5 GSSAPI may wrongly treat these tickets as not yet valid or as expired.
FileTimeToUnixTime() is a krb5 function to convert the Microsoft-specific FileTime format to a Unix epoch time. A FileTime stores the number of 100-nanosecond intervals since 1 January 1601 AD. (https://learn.microsoft.com/en-us/windows/win32/api/minwinbase/ns-minwinbase-filetime). The type may be used to represent both absolute times (as UTC) and local times.
To convert to Unix time, FileTimeToUnixTime():
1. Adjusts the input FileTime to a timezone-localized timestamp using the win32 API FileTimeToLocalFileTime().
2. Marshalls the localized timestamp into a Unix-style "tm" struct.
3. Converts to a timezone-free Unix time using the mktime() function.
FileTimeToLocalTime() and mktime() use different mechanisms to determine the effective timezone:
* FileTimeToLocalTime() queries the operating system context in an undocumented manner. It ignores any TZ environment variable.
* mktime() reads the TZ environment variable. If it cannot parse the TZ variable, it assumes UTC-8, Pacific Time. If there is no TZ variable at all, it uses GetTimezoneInformation() to query the operating system. See remarks at https://learn.microsoft.com/en-us/cpp/c-runtime-library/reference/mktime-mktime32-mktime64?view=msvc-170#remarks.
In our situation we have a Windows machine whose timezone is set to UTC+5:30 (New Delhi) in the Control Panel. The machine also has an environment variable TZ=Asia/Calcutta. Asia/Calcutta is a valid IANA link, but Microsoft's implementation of mktime() does not understand IANA and falls back to UTC-8. Consequently, fresh, valid tickets obtained from the Active Directory domain controller by the LSA are seen as not-yet-valid by the krb5 GSSAPI library.
Work arounds:
* POSIX-like TZ formats (like "IST-5.30") work ok with Microsoft's mktime(). For compatibility with applications who expect IANA values, it may be necessary to add a manual link in the application's IANA database from the POSIX name to the IANA city.
* Application code can unset TZ before calling krb5 GSSAPI code and restore it afterwards.
History:
This code path has been unmodified since it was adopted into the krb5 library in 2000: https://github.com/krb5/krb5/commit/c20d72ef8113ead05d6fab3976d93d340f86212b.
Credit:
Vignesh Manickavasagam <vignesh.manickavasagam@gs.com>
>How-To-Repeat:
On a Windows domain-joined machine,
1. Set the timezone in the Windows "Date & Time" settings to a city further east than UTC+2:00. For example, UTC+5:30 New Delhi.
2. Set the TZ environment variable to a valid IANA value such as "Asia/Calcutta" or "Australia/Sydney". (It does not need to be the same city as the system timezone, but it should not be a POSIX-compatible value.)
3. Clear the ticket cache with kinit -R.
4. Observe the not-yet-valid bug by requesting a ticket with GSSAPI. On the command line one can use gss-client.exe:
% gss-client.exe -spnego -port 443 internal-site.your-domain.com HTTP arbitrary-message
GSS-API error initializing context: Unspecified GSS failure. Minor code may provide more information
GSS-API error initializing context: Ticket not yet valid
5. Clear the TZ variable to see the GSSAPI request now succeeds:
% set TZ=
% gss-client.exe -spnego -port 443 internal-site.your-domain.com HTTP arbitrary-message
Sending init_sec_context token (size=4126)...continue needed...reading token flags: 0 bytes read
6. A prematurely expired ticket can be observed by setting the Windows timezone to a place sufficiently far west, for example Hawaii. This depends on the realm policy for ticket lifetimes.
>Fix:
The function is converting from epoch to epoch, so it is not necessary to convert through a local time: there is a direct arithmetic conversion. Raymond Chen has a recommendation here: https://devblogs.microsoft.com/oldnewthing/20220602-00/?p=106706. Less elegant but more portable solutions can be found on Stack Overflow.
An alternative fix would be to unset TZ in the prologue to FileTimeToLocalTime() and restore it in the epilogue.
If it is not desirable to fix the problem, the behaviour of the krb5 library in the presence of TZ values should be documented.
________________________________
Your Personal Data: We may collect and process information about you that may be subject to data protection laws. For more information about how we use and disclose your personal data, how we protect your information, our legal basis to use your information, your rights and who you can contact, please refer to: www.gs.com/privacy-notices<http://www.gs.com/privacy-notices>
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
