Apparently there is a bug with CWA and Windows 2008 where the Service Principal Name (SPN) isn't created for the FQDN of your CWA site. The result is the following error when you attempt to sign in with integrated Windows authentication:
Cannot sign in because your computer clock is not set correctly or your
account is invalid (error code: 0-1-492)
When I created our 'internal' and 'external' CWA web sites on our web server I set up two IP addresses so that each site could have a unique IP with the same certificate bound to it. We use the same FQDN for both the internal and external CWA site (i.e. https://cwa.contoso.com/). ISA Server 2006 is used to direct external clients to the IP bound to the external CWA site and vice versa. The key difference is that the internal site uses both forms-based authentication as well as Windows authentication.
The Windows authentication site will fail with the error if your site is running on Windows 2008 Server while the other site will work just fine. We limped along for a while by setting the IP address of the internal site to be the external site until this fix came along.
HOW TO FIX IT:
You need to add an SPN matching the FQDN of your internal site (cwa.contoso.com) to the user account you assigned in AD for CWA.
- Open ADSIEDIT and navigate to the OU where your CWA service account is stored.
- Locate the CWA service account (mine is called 'CWAService') and right-click then choose Properties.
- Turn on the checkbox to 'Show only attributes that have values' and scroll down to an entry called 'servicePrincipalName'.
- Click the Edit button.
- Type in the SPN using the following format (http/
). For example, if your site is called "cwa.intel.com" then type in "http/cwa.intel.com". NOTE: Do NOT type http://.
- Click OK and you're done!
Depending on your topology and the location if your web server to a DC, replication may need to occur.