SWG Kerberos authentication fails after verifying that SWG is properly synching time with target Domain Controller.
Last Updated September 28, 2011
You are receiving the following error and you have verified the following information:
SWG is configured to use the target Domain Controller as its network time source and you have verified time synchronization is working correctly.
The target Domain Controller is not using itself as its time source and is using a secondary time server as its network time source. You have also verified that the target DC is successfully receiving updates from the source time server.
To determine the DC time settings run:
w32tm /query /configuration
and verify that the "ntpserver" field in not "LOCL"
To verify the DC is synching properly run:
w32tm /query /status
and verify that the "source" field in not "LOCL"
"An LDAP error was encountered: Webgate time settings varies by more than the maximum amount allowed by Kerberos server. Either sync Webgate with Kerberos server time settings, or increase the maximum variation allowed on your Kerberos server."
Symantec is currently researching this issue. The current workaround is to use simple authentication. Please monitor this document for further updates.
Imported Document ID: TECH170661
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe