[OpenAM] GSSException Clock skew too great(37) onWindowsDesktopSSO

Peter Major peter.major at forgerock.com
Thu Mar 29 10:18:17 BST 2012


might be related:
http://vanbortel.blogspot.com/2011/05/sso-fails-randomly-clock-skew-too-great.html

2012-03-29 11:08 keltezéssel, Kolev, Ivo írta:
> I've been wrong, it seems Logging Level also impacts the logs in debug
> folder. Now an exception appears, but it shows what I already saw.
>
> GSSException: Failure unspecified at GSS-API level (Mechanism level:
> Clock skew too great (37))
> 	at
> sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741
> )
> 	at
> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:32
> 3)
> 	at
> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:26
> 7)
> 	at
> com.sun.identity.authentication.modules.windowsdesktopsso.WindowsDesktop
> SSO$1.run(WindowsDesktopSSO.java:231)
> 	at java.security.AccessController.doPrivileged(Native Method)
> 	at javax.security.auth.Subject.doAs(Subject.java:396)
> 	at
> com.sun.identity.authentication.modules.windowsdesktopsso.WindowsDesktop
> SSO.authenticateToken(WindowsDesktopSSO.java:224)
> ..
> Caused by: KrbException: Clock skew too great (37)
> 	at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:293)
> 	at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
> 	at
> sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.ja
> va:79)
> 	at
> sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724
> )
> 	... 45 more
>
> Cheers, Ivo Kolev
>
>
> -----Original Message-----
> From: Kolev, Ivo
> Sent: 29 March 2012 11:42
> To: Users
> Cc: Kolev, Ivo
> Subject: RE: [OpenAM] GSSException Clock skew too great(37)
> onWindowsDesktopSSO
>
> Thanks for the prompt reply, Bernhard.
>
> OpenAM is in debug mode - Configuration/Server and Sites/<server>/Debug
> Level is Message and Configuration/System/Logging/Logging Level is set
> to Finest. The only related information I see is listed below, but as
> before it does not show anything about the GSS exception encountered.
>
> Cheers, Ivo
>
> ../debug/Authentication has
> ..
> Context created.
> amAuthWindowsDesktopSSO:03/29/2012 10:27:51:718 AM CEST:
> Thread["http-apr-8080"-exec-3,5,main]
> Authentication failed with GSSException.
> amLoginModule:03/29/2012 10:27:51:718 AM CEST:
> Thread["http-apr-8080"-exec-3,5,main]
> SETTING Failure Module name.... : WindowsSSO_Instance
> amAuth:03/29/2012 10:27:51:718 AM CEST:
> Thread["http-apr-8080"-exec-3,5,main]
> ..
>
>
>
>
> -----Original Message-----
> From: openam-bounces at forgerock.org [mailto:openam-bounces at forgerock.org]
> On Behalf Of Bernhard Thalmayr
> Sent: 28 March 2012 21:09
> To: openam at forgerock.org
> Subject: Re: [OpenAM] GSSException Clock skew too great(37)
> onWindowsDesktopSSO
>
> When debug level is set to 'message' you should see the GSS Exception
> .. can you share it?
>
> -Bernhard
>
>
> Am 3/28/12 5:32 PM, schrieb Kolev, Ivo:
>> Hallo,
>>
>> I'm facing problem to establish WinSSO and cannot find the cause.
>>
>> The environment:
>>
>> Client: FF4/IE8 on Win XP SP3
>>
>> Server: OpenAM 9.5.4 on Tomcat 7 on Windows Server 2008 Standard SP2;
>> JRE 1.6.0_24.
>>
>> KDC: Active Directory 2003
>>
>> OpenAM Authentication logs shows something like below. SSO fails
>> because of GSSException, but details are not available. Debugging
>> WinSSO module I see a GSSException with major code 11 (which means
>> General error I think), minor code -1 and minor message Clock skew too
>
>> great (37). All three machines look time synched, I would not bet for
>> the seconds, but up to the minutes the numbers are equal and machines
> are in one time zone.
>>
>> Have anyone met and solved such case? I would appreciate any info.
>> Just as a side note, WinSSO works fine on different environment where
>> OpenAM runs on XP, all the rest is identical.
>>
>> Cheers, Ivo Kolev
>>
>> ********************************
>>
>> SPNEGO OID found in the Auth Token
>>
>> amAuthWindowsDesktopSSO:03/28/2012 03:26:53:231 PM CEST:
>> Thread["http-apr-8080"-exec-7,5,main]
>>
>> DerValue: found init token
>>
>> amAuthWindowsDesktopSSO:03/28/2012 03:26:53:231 PM CEST:
>> Thread["http-apr-8080"-exec-7,5,main]
>>
>> DerValue: 0x30 constructed token found
>>
>> amAuthWindowsDesktopSSO:03/28/2012 03:26:53:231 PM CEST:
>> Thread["http-apr-8080"-exec-7,5,main]
>>
>> Kerberos token retrieved from SPNEGO token:
>>
>> 60 82 05 03 06 09 2a 86 48 86 f7 12 01 02 02 01
>>
>> ....
>>
>> 59 62 9f 85 ec de 7c
>>
>> amAuthWindowsDesktopSSO:03/28/2012 03:26:58:889 PM CEST:
>> Thread["http-apr-8080"-exec-7,5,main]
>>
>> In authenticationToken ...
>>
>> amAuthWindowsDesktopSSO:03/28/2012 03:26:58:905 PM CEST:
>> Thread["http-apr-8080"-exec-7,5,main]
>>
>> Context created.
>>
>> amAuthWindowsDesktopSSO:03/28/2012 03:29:07:022 PM CEST:
>> Thread["http-apr-8080"-exec-7,5,main]
>>
>> Authentication failed with GSSException.
>>
>> amLoginModule:03/28/2012 03:29:07:022 PM CEST:
>> Thread["http-apr-8080"-exec-7,5,main]
>>
>> ********************************
>>
>>
>>
>>
>> Information in this e-mail and any attachments is confidential, and
>> may not be copied or used by anyone other than the addressee, nor
>> disclosed to any third party without our permission. There is no
>> intention to create any legally binding contract or other binding
>> commitment through the use of this electronic communication unless it
>> is issued in accordance with the Experian Limited standard terms and
>> conditions of purchase or other express written agreement between
>> Experian Limited and the recipient. Although Experian has taken
>> reasonable steps to ensure that this communication and any attachments
>
>> are free from computer virus, you are advised to take your own steps
>> to ensure that they are actually virus free.
>>
>> Companies Act information: Registered name: Experian Limited.
>> Registered
>> office: Landmark House, Experian Way, NG2 Business Park, Nottingham,
>> NG80 1ZZ, United Kingdom. Place of registration: England and Wales.
>> Registered number: 653331
>>
>>
>>
>>
>>
>> _______________________________________________
>> OpenAM mailing list
>> OpenAM at forgerock.org
>> https://lists.forgerock.org/mailman/listinfo/openam
>
>
> --
> Painstaking Minds
> IT-Consulting Bernhard Thalmayr
> Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
> Tel: +49 (0)8062 7769174
> Mobile: +49 (0)176 55060699
>
> bernhard.thalmayr at painstakingminds.com - Solution Architect
>
> This e-mail may contain confidential and/or privileged information.If
> you are not the intended recipient (or have received this email in
> error) please notify the sender immediately and delete this e-mail. Any
> unauthorized copying, disclosure or distribution of the material in this
> e-mail is strictly forbidden.
> _______________________________________________
> OpenAM mailing list
> OpenAM at forgerock.org
> https://lists.forgerock.org/mailman/listinfo/openam
> _______________________________________________
> OpenAM mailing list
> OpenAM at forgerock.org
> https://lists.forgerock.org/mailman/listinfo/openam
>



More information about the OpenAM mailing list