How to address error: Clock skew too great
search cancel

How to address error: Clock skew too great

book

Article ID: 160526

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

In localhost logs, the following error KINIT error occurs periodically.

Exception: krb_error 37 Clock skew too great (37) Clock skew too great

File: Enforce/logs/tomcat/localhost.2023-05-03.log
Date: 5/3/2023 5:16:47 AM
Thread: 129
Level: WARNING
Source: com.symantec.dlp.login.spring.SymantecKerberosAuthenticationProvider
Message: Kerberos authentication failed: user='[email protected]'
Cause:
org.springframework.security.authentication.BadCredentialsException: Kerberos authentication failedorg.springframework.security.authentication.BadCredentialsException: Kerberos authentication failed

Caused by: javax.security.auth.login.LoginException: Clock skew too great (37)
    at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:810)
    at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:618)

Environment

Windows AD

Enforce running on RHEL 8

Cause

The system clock does not align closely enough with the Active Directory servers time value.

Resolution

Ensure that the clocks on the Enforce Server and detection server(s) hosts are time synched with the Active Directory host using the Network Time Protocol (NTP) against a high stratum (lower numeric stratum value infers better time quality or high stratum) NTP server. Using this protocol, the DLP server hosts should be time synched within 5 minutes of the Active Directory host.

 

On RHEL 8

Install the chrony NTP package

# dnf install chrony

Enable Chrony to start on boot

# systemctl enable chronyd

Start Chrony NTP daemon

# systemctl start chronyd

Check for NTP sources 

check new date