How to address error: Clock skew too great
Article ID: 160526
Updated On:
Products
Data Loss Prevention Enforce
Issue/Introduction
In localhost logs, the following error KINIT error occurs periodically.
Exception: krb_error 37 Clock skew too great (37) Clock skew too great
File: Enforce/logs/tomcat/localhost.2023-05-03.log
Date: 5/3/2023 5:16:47 AM
Thread: 129
Level: WARNING
Source: com.symantec.dlp.login.spring.SymantecKerberosAuthenticationProvider
Message: Kerberos authentication failed: user='[email protected]'
Cause:
org.springframework.security.authentication.BadCredentialsException: Kerberos authentication failedorg.springframework.security.authentication.BadCredentialsException: Kerberos authentication failed
Caused by: javax.security.auth.login.LoginException: Clock skew too great (37)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:810)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:618)
Environment
Windows AD
Enforce running on RHEL 8
Cause
The system clock does not align closely enough with the Active Directory servers time value.
Resolution
Ensure that the clocks on the Enforce Server and detection server(s) hosts are time synched with the Active Directory host using the Network Time Protocol (NTP) against a high stratum (lower numeric stratum value infers better time quality or high stratum) NTP server. Using this protocol, the DLP server hosts should be time synched within 5 minutes of the Active Directory host.
On RHEL 8
Install the chrony NTP package
# dnf install chrony
Enable Chrony to start on boot
# systemctl enable chronyd
Start Chrony NTP daemon
# systemctl start chronyd
Check for NTP sources
check new date
Feedback
Yes
No
Powered by
