Exchange 2016 Troubleshooting: Unexpected Auth Blob Check For Clock Skew (Event ID 1035)

Introduction

As many of you might know, Active Directory and Exchange as time sensitive. This means that if time is behind by 5 min or more or ahead, this messes with Exchange.

Clock skew consequences

When the clock skew (which is the time synchronization difference between client and authentication server) is to large, the Kerberos authentication will break.

Event ID 1035

If you see Event ID 1035 as shown below, the error actually tells you there is a time problem: https://www.collaborationpro.com/wp-content/uploads/2020/12/image-5-1024x632.png

There are a few places you need to check where the time is out:

• The actual Exchange Servers
• The domain controllers
• The underlying hypervisors, either Hyper-V or VMWare.

In this scenario, the client had a host that was ahead of time and checking the application log files showed events ahead of time. Checking the time from command prompt using the command: "net time", showed the DC it was talking to and the time was correct.

Once you fix the time issue, the errors should stop. One thing we noticed with time being ahead is that you cannot setup an Outlook Profile yet OWA works and you get a certificate warning when launching Outlook.

Troubleshooting

Time skew issues or time synchronizations issues are difficult to detect, as you might see intermittent errors.

Solution

Make sure to setup and configure time synchronization.