Once proper authentication is confirmed it moves to a Account Restricted error.
SAML is dependent on time being in sync across all systems. The Web Security Service proxies sync to atomic clocks to keep time in sync. This is to ensure that the assertions have a common time reference. If time is out of sync for more than 60 seconds, then SAML authentication issues will arise.
To remedy the issue, please check the IDP server's time and make sure time synchronization is functioning properly. If time synchronization is not enabled on your IDP server, Blue Coat highly recommends that you enable time synchronization to prevent these kinds of issues from happening in the future. The lack of time synchronization between the IDP and atomic clocks that are distributed throughout the Internet will likely end up with clock drift on your IDP server. Once your IDP server's time is out of sync for more than 60 seconds (plus or minus) from the atomic clock, then you will start to see receive the "Account Restricted" messages. To rectify this, please get the IDP's clock back in sync with atomic clock time and the issue should self-heal.
For help syncing the Windows/IDP server, please see http://serverfault.com/questions/294787/how-do-i-force-sync-the-time-on-windows-server-2008-r2-domain-controller
If using a Windows server, if you try and resync and get the error message, "the computer did not resync because no time data was available", you will want to switch time servers and try syncing after restarting the w32tm service.
Imported Document ID: 000007753
Subscribing will provide email updates when this Article is updated. Login is required.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
Subscribed to the Article.
Unable to subscribe
Thanks for your additional feedback !!!
Enterprise Support Virtual Agent
Rate Me :
Tell us more:
Welcome! My name is Sami, the Enterprise Support Virtual Agent answering technical support questions.