Windows inside domain running over Openstack

Trouble logging in ?

Like me, you may have had to setup some virtualized Windows over Openstack (KVM in my case). And if your Windows are inside an Active Directory domain, you may have some trouble logging in. Incorrect Password with a perfectly valid password means .. a clock problem.

As you may know, Windows authentication on a domain uses Kerberos. However Kerberos needs synchronized clocks to work. By default, Windows expects that the time provided by the system is a local time, while the standard is to provide UTC time, and Openstack respects it.

How to fix that

Inside Openstack, there is a way to give your instance the local time instead of the universal time : declare your instances as Windows !

Three things to do :

  • make sure that your compute nodes have theirs clocks synchronized with ntpd
  • add the 'os_type' propriety to your Windows image, it will fix the problem for your futures instances : glance image-update --property os_type=windows image-id
  • change the 'os_type' propriety of your already existing instances, directly in the Nova database, table instance, then hard reboot the instances (you may want to shutdown your Windows before =)

And voilĂ , your Windows clocks are now synchronized, and you can finally log-in.