Solutions
ForgeRock Identity Platform
Does not apply to Identity Cloud

Clock skew too great (37) error when WDSSO authentication fails in AM (All versions)

Last updated Jan 16, 2023

The purpose of this article is to provide assistance if you receive a "javax.security.auth.login.LoginException: Clock skew too great (37)" error when attempting to log into the Windows Desktop SSO (WDSSO) authentication module in AM.


1 reader recommends this article

Symptoms

The following error is shown in the Authentication log when WDSSO authentication fails:

amAuthWindowsDesktopSSO:04/10/2016 16:43:11:135 PM PDT: Thread[http-bio-12023-exec-8,5,main] WindowsDesktopSSO params: principal: HTTPS/am.example.com@WINDOWS.EXAMPLE.COM keytab file: /etc/am.HTTPS.keytab realm : WINDOWS.EXAMPLE.COM kdc server: windows.example.com domain principal: false Lookup user in realm:false Accepted Kerberos realms: [] auth level: 0 amAuthWindowsDesktopSSO:04/10/2016 16:43:11:135 PM PDT: Thread[http-bio-12023-exec-8,5,main] Init WindowsDesktopSSO. This should not happen often. amAuth:04/10/2016 16:43:11:135 PM PDT: Thread[http-bio-12023-exec-8,5,main] spi authLevel :0 amAuth:04/10/2016 16:43:11:135 PM PDT: Thread[http-bio-12023-exec-8,5,main] module configuration authLevel :0 amAuth:04/10/2016 16:43:11:135 PM PDT: Thread[http-bio-12023-exec-8,5,main] levelSet :false amAuthWindowsDesktopSSO:04/10/2016 16:43:11:135 PM PDT: Thread[http-bio-12023-exec-8,5,main] New Service Login ... amAuthWindowsDesktopSSO:04/10/2016 16:43:11:135 PM PDT: Thread[http-bio-12023-exec-8,5,main] ERROR: Service Login Error: amAuthWindowsDesktopSSO:04/10/2016 16:43:11:135 PM PDT: Thread[http-bio-12023-exec-8,5,main] Stack trace: javax.security.auth.login.LoginException: Clock skew too great (37) at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:763) at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:584) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ... Caused by: KrbException: Identifier doesn't match expected value (906) at sun.security.krb5.internal.KDCRep.init(KDCRep.java:143) at sun.security.krb5.internal.ASRep.init(ASRep.java:65) at sun.security.krb5.internal.ASRep.<init>(ASRep.java:60) at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60) ... 113 more amLoginModule:04/10/2016 16:43:11:135 PM PDT: Thread[http-bio-12023-exec-8,5,main] SETTING Failure Module name.... :wdsso

Recent Changes

N/A

Causes

The difference between the time on the Kerberos™ or Active Directory® Domain Controller and the AM server is too great.

Solution

This issue can be resolved by correcting the time on the Kerberos or Active Directory Domain Controller so it matches the time on the AM server.

See Also

Kerberos authentication fails with an Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled error in AM 6.x

WDSSO/Kerberos authentication fails in AM (All versions) with an HTTP 400 Bad Request response

Unable to obtain password from user error when Kerberos authentication fails in AM (All versions)

How do I troubleshoot Kerberos and WDSSO issues in AM (All versions)?

How do I enable debug logging for troubleshooting Kerberos and WDSSO issues in AM (All versions)?

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.