Forum Discussion
Server 2025 Domain Join Error ASN.1
MicrosoftRichBaldry I'm impressed with your investigative work on this! It helped me to have a fruitful conversation with the engineering team. Your intuition is correct: we are quite concerned about the 2037 limit, which is not very far away. For accounts with no password expiry, we moved the Kerberos expiry out to 2100, so that our products will continue working past 2037. But sone devices do not handle dates properly past 2037.
Our recommendation would be for Cisco and other vendors to update their software to be able to handle dates past 2037 properly -- for the same reason, because 2037 is not so far away. I'm not sure I would call this a ping-pong game -- we all have to work together to handle the 32-bit date limit.
Alternatively, having regular password rotation regimes is a best practice, so enabling password expiry and rotating passwords on a regular basis will both solve this issue and improve your security.
I understand. I do work for a vendor with a product similar to Cisco's and we are now making plans to update our Kerberos builds to use 64 bit date values so that the ASN.1 conversion doesn't fail.
Regarding the regular password rotation, this advice is unfortunately no good for situations where it's actually a computer account that is authenticating, as is the case for our device. As far as I can tell it's actually not possible to set an expiry date on a Computer account.
Fixing on our side it is certainly our goal for a long term solution, but I know not all vendors and devices will be able to do the same. In the meantime, a way to revert this on the Windows side would certainly be helpful.