[OpenAM] GSSException Clock skew toogreat(37) onWindowsDesktopSSO

Kolev, Ivo Ivailo.Kolev at experian.com
Thu Mar 29 12:05:53 BST 2012


Thanks for the help, issue is solved.

There were few things which I did and the issue is gone.
1. Enabled Windows Time on the client machine (didn't notice its off, but the time was looking OK).
2. Restarted the machine. At this point SPNEGO started to work in IE, but FF was still failing.
3. Upgraded FF to 11, and it started working as well.

While client was restarting, server was also restarted because of getting automatic updates (11). Hopefully, none of these influenced the case.

Cheers, Ivo Kolev



-----Original Message-----
From: openam-bounces at forgerock.org [mailto:openam-bounces at forgerock.org] On Behalf Of Peter Major
Sent: 29 March 2012 12:18
To: Users
Subject: Re: [OpenAM] GSSException Clock skew toogreat(37) onWindowsDesktopSSO

might be related:
http://vanbortel.blogspot.com/2011/05/sso-fails-randomly-clock-skew-too-great.html

2012-03-29 11:08 keltezéssel, Kolev, Ivo írta:
> I've been wrong, it seems Logging Level also impacts the logs in debug 
> folder. Now an exception appears, but it shows what I already saw.
>
> GSSException: Failure unspecified at GSS-API level (Mechanism level:
> Clock skew too great (37))
> 	at
> sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:7
> 41
> )
> 	at
> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:
> 32
> 3)
> 	at
> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:
> 26
> 7)
> 	at
> com.sun.identity.authentication.modules.windowsdesktopsso.WindowsDeskt
> op
> SSO$1.run(WindowsDesktopSSO.java:231)
> 	at java.security.AccessController.doPrivileged(Native Method)
> 	at javax.security.auth.Subject.doAs(Subject.java:396)
> 	at
> com.sun.identity.authentication.modules.windowsdesktopsso.WindowsDeskt
> op
> SSO.authenticateToken(WindowsDesktopSSO.java:224)
> ..
> Caused by: KrbException: Clock skew too great (37)
> 	at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:293)
> 	at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
> 	at
> sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.
> ja
> va:79)
> 	at
> sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:7
> 24
> )
> 	... 45 more
>
> Cheers, Ivo Kolev
>
>
> -----Original Message-----
> From: Kolev, Ivo
> Sent: 29 March 2012 11:42
> To: Users
> Cc: Kolev, Ivo
> Subject: RE: [OpenAM] GSSException Clock skew too great(37) 
> onWindowsDesktopSSO
>
> Thanks for the prompt reply, Bernhard.
>
> OpenAM is in debug mode - Configuration/Server and 
> Sites/<server>/Debug Level is Message and 
> Configuration/System/Logging/Logging Level is set to Finest. The only 
> related information I see is listed below, but as before it does not show anything about the GSS exception encountered.
>
> Cheers, Ivo
>
> ../debug/Authentication has
> ..
> Context created.
> amAuthWindowsDesktopSSO:03/29/2012 10:27:51:718 AM CEST:
> Thread["http-apr-8080"-exec-3,5,main]
> Authentication failed with GSSException.
> amLoginModule:03/29/2012 10:27:51:718 AM CEST:
> Thread["http-apr-8080"-exec-3,5,main]
> SETTING Failure Module name.... : WindowsSSO_Instance
> amAuth:03/29/2012 10:27:51:718 AM CEST:
> Thread["http-apr-8080"-exec-3,5,main]
> ..
>
>
>
>
> -----Original Message-----
> From: openam-bounces at forgerock.org 
> [mailto:openam-bounces at forgerock.org]
> On Behalf Of Bernhard Thalmayr
> Sent: 28 March 2012 21:09
> To: openam at forgerock.org
> Subject: Re: [OpenAM] GSSException Clock skew too great(37) 
> onWindowsDesktopSSO
>
> When debug level is set to 'message' you should see the GSS Exception 
> .. can you share it?
>
> -Bernhard
>
>
> Am 3/28/12 5:32 PM, schrieb Kolev, Ivo:
>> Hallo,
>>
>> I'm facing problem to establish WinSSO and cannot find the cause.
>>
>> The environment:
>>
>> Client: FF4/IE8 on Win XP SP3
>>
>> Server: OpenAM 9.5.4 on Tomcat 7 on Windows Server 2008 Standard SP2; 
>> JRE 1.6.0_24.
>>
>> KDC: Active Directory 2003
>>
>> OpenAM Authentication logs shows something like below. SSO fails 
>> because of GSSException, but details are not available. Debugging 
>> WinSSO module I see a GSSException with major code 11 (which means 
>> General error I think), minor code -1 and minor message Clock skew 
>> too
>
>> great (37). All three machines look time synched, I would not bet for 
>> the seconds, but up to the minutes the numbers are equal and machines
> are in one time zone.
>>
>> Have anyone met and solved such case? I would appreciate any info.
>> Just as a side note, WinSSO works fine on different environment where 
>> OpenAM runs on XP, all the rest is identical.
>>
>> Cheers, Ivo Kolev
>>
>> ********************************
>>
>> SPNEGO OID found in the Auth Token
>>
>> amAuthWindowsDesktopSSO:03/28/2012 03:26:53:231 PM CEST:
>> Thread["http-apr-8080"-exec-7,5,main]
>>
>> DerValue: found init token
>>
>> amAuthWindowsDesktopSSO:03/28/2012 03:26:53:231 PM CEST:
>> Thread["http-apr-8080"-exec-7,5,main]
>>
>> DerValue: 0x30 constructed token found
>>
>> amAuthWindowsDesktopSSO:03/28/2012 03:26:53:231 PM CEST:
>> Thread["http-apr-8080"-exec-7,5,main]
>>
>> Kerberos token retrieved from SPNEGO token:
>>
>> 60 82 05 03 06 09 2a 86 48 86 f7 12 01 02 02 01
>>
>> ....
>>
>> 59 62 9f 85 ec de 7c
>>
>> amAuthWindowsDesktopSSO:03/28/2012 03:26:58:889 PM CEST:
>> Thread["http-apr-8080"-exec-7,5,main]
>>
>> In authenticationToken ...
>>
>> amAuthWindowsDesktopSSO:03/28/2012 03:26:58:905 PM CEST:
>> Thread["http-apr-8080"-exec-7,5,main]
>>
>> Context created.
>>
>> amAuthWindowsDesktopSSO:03/28/2012 03:29:07:022 PM CEST:
>> Thread["http-apr-8080"-exec-7,5,main]
>>
>> Authentication failed with GSSException.
>>
>> amLoginModule:03/28/2012 03:29:07:022 PM CEST:
>> Thread["http-apr-8080"-exec-7,5,main]
>>
>> ********************************
>>
>>
>>
>>
>> Information in this e-mail and any attachments is confidential, and 
>> may not be copied or used by anyone other than the addressee, nor 
>> disclosed to any third party without our permission. There is no 
>> intention to create any legally binding contract or other binding 
>> commitment through the use of this electronic communication unless it 
>> is issued in accordance with the Experian Limited standard terms and 
>> conditions of purchase or other express written agreement between 
>> Experian Limited and the recipient. Although Experian has taken 
>> reasonable steps to ensure that this communication and any 
>> attachments
>
>> are free from computer virus, you are advised to take your own steps 
>> to ensure that they are actually virus free.
>>
>> Companies Act information: Registered name: Experian Limited.
>> Registered
>> office: Landmark House, Experian Way, NG2 Business Park, Nottingham,
>> NG80 1ZZ, United Kingdom. Place of registration: England and Wales.
>> Registered number: 653331
>>
>>
>>
>>
>>
>> _______________________________________________
>> OpenAM mailing list
>> OpenAM at forgerock.org
>> https://lists.forgerock.org/mailman/listinfo/openam
>
>
> --
> Painstaking Minds
> IT-Consulting Bernhard Thalmayr
> Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
> Tel: +49 (0)8062 7769174
> Mobile: +49 (0)176 55060699
>
> bernhard.thalmayr at painstakingminds.com - Solution Architect
>
> This e-mail may contain confidential and/or privileged information.If 
> you are not the intended recipient (or have received this email in
> error) please notify the sender immediately and delete this e-mail. 
> Any unauthorized copying, disclosure or distribution of the material 
> in this e-mail is strictly forbidden.
> _______________________________________________
> OpenAM mailing list
> OpenAM at forgerock.org
> https://lists.forgerock.org/mailman/listinfo/openam
> _______________________________________________
> OpenAM mailing list
> OpenAM at forgerock.org
> https://lists.forgerock.org/mailman/listinfo/openam
>
_______________________________________________
OpenAM mailing list
OpenAM at forgerock.org
https://lists.forgerock.org/mailman/listinfo/openam



More information about the OpenAM mailing list