Clock skew too great (37) error when WDSSO authentication fails in AM (All versions)
The purpose of this article is to provide assistance if you receive a "javax.security.auth.login.LoginException: Clock skew too great (37)" error when attempting to log into the Windows Desktop SSO (WDSSO) authentication module in AM.
1 reader recommends this article
Symptoms
The following error is shown in the Authentication log when WDSSO authentication fails:
amAuthWindowsDesktopSSO:04/10/2016 16:43:11:135 PM PDT: Thread[http-bio-12023-exec-8,5,main] WindowsDesktopSSO params: principal: HTTPS/am.example.com@WINDOWS.EXAMPLE.COM keytab file: /etc/am.HTTPS.keytab realm : WINDOWS.EXAMPLE.COM kdc server: windows.example.com domain principal: false Lookup user in realm:false Accepted Kerberos realms: [] auth level: 0 amAuthWindowsDesktopSSO:04/10/2016 16:43:11:135 PM PDT: Thread[http-bio-12023-exec-8,5,main] Init WindowsDesktopSSO. This should not happen often. amAuth:04/10/2016 16:43:11:135 PM PDT: Thread[http-bio-12023-exec-8,5,main] spi authLevel :0 amAuth:04/10/2016 16:43:11:135 PM PDT: Thread[http-bio-12023-exec-8,5,main] module configuration authLevel :0 amAuth:04/10/2016 16:43:11:135 PM PDT: Thread[http-bio-12023-exec-8,5,main] levelSet :false amAuthWindowsDesktopSSO:04/10/2016 16:43:11:135 PM PDT: Thread[http-bio-12023-exec-8,5,main] New Service Login ... amAuthWindowsDesktopSSO:04/10/2016 16:43:11:135 PM PDT: Thread[http-bio-12023-exec-8,5,main] ERROR: Service Login Error: amAuthWindowsDesktopSSO:04/10/2016 16:43:11:135 PM PDT: Thread[http-bio-12023-exec-8,5,main] Stack trace: javax.security.auth.login.LoginException: Clock skew too great (37) at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:763) at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:584) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ... Caused by: KrbException: Identifier doesn't match expected value (906) at sun.security.krb5.internal.KDCRep.init(KDCRep.java:143) at sun.security.krb5.internal.ASRep.init(ASRep.java:65) at sun.security.krb5.internal.ASRep.<init>(ASRep.java:60) at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60) ... 113 more amLoginModule:04/10/2016 16:43:11:135 PM PDT: Thread[http-bio-12023-exec-8,5,main] SETTING Failure Module name.... :wdssoRecent Changes
N/A
Causes
The difference between the time on the Kerberos™ or Active Directory® Domain Controller and the AM server is too great.
Solution
This issue can be resolved by correcting the time on the Kerberos or Active Directory Domain Controller so it matches the time on the AM server.
See Also
WDSSO/Kerberos authentication fails in AM (All versions) with an HTTP 400 Bad Request response
Unable to obtain password from user error when Kerberos authentication fails in AM (All versions)
How do I troubleshoot Kerberos and WDSSO issues in AM (All versions)?
How do I enable debug logging for troubleshooting Kerberos and WDSSO issues in AM (All versions)?
Related Training
N/A
Related Issue Tracker IDs
N/A