http://codermonkey65.blogspot.co.uk/2012/09/troubleshooting-kerberos.html Look under NTP commands w32tm /resyncnet start w32time
> From: ravindhar_ko...@persistent.com > To: users@tomcat.apache.org > Subject: RE: Tomcat windows 7 authentication > Date: Thu, 7 May 2015 11:37:43 +0000 > > I have done NTP synchronization in AD > still I am getting same error > could you please help in this > > -----Original Message----- > From: David Marsh [mailto:dmars...@outlook.com] > Sent: Thursday, May 07, 2015 3:39 PM > To: Tomcat Users List > Subject: RE: Tomcat windows 7 authentication > > Kerberos requires NTP synchronisation to be in place and working. > Fix your clocks and the error should go away. > > > From: ravindhar_ko...@persistent.com > > To: users@tomcat.apache.org > > Subject: Tomcat windows 7 authentication > > Date: Thu, 7 May 2015 10:01:39 +0000 > > > > Hi > > I am working on windows authentication with tomcat 7. > > I have gone through the following doc. > > windows-auth-howto > > Tomcat_instance_(Windows_server)<http://shodhganga.inflibnet.ac.in:8080/docs/windows-auth-howto.html#Tomcat_instance_(Windows_server)> > > > > > > apache-tomcat-7.0.61 > > windows server 2008 R2 > > java 1.8.0_25 > > active directory machine ( DOMAIN-ad) > > tomcat instance machine (windows-sso-demo) > > username (ss0ad...@domain.com<mailto:ss0ad...@domain.com>) > > password (XXXXXX) > > > > setspn -A HTTP/WINDOWS-SSO-DEMO ssoadmin > > ktpass /out c:\tomcat.keytab /mapuser ssoad...@domain.com /princ > > HTTP/windows-sso-d...@domain.com /pass XXXXX /kvno 0 > > > > C:\apache-tomcat-7.0.61\conf\jass.conf > > > > com.sun.security.jgss.krb5.initiate { > > com.sun.security.auth.module.Krb5LoginModule required > > doNotPrompt=true > > principal="HTTP/windows-sso-d...@domain.com" > > useKeyTab=true > > keyTab="C:/apache-tomcat-7.0.61/conf/tomcat.keytab" > > storeKey=true; > > }; > > > > com.sun.security.jgss.krb5.accept { > > com.sun.security.auth.module.Krb5LoginModule required > > doNotPrompt=true > > principal="HTTP/windows-sso-d...@domain.com" > > useKeyTab=true > > keyTab="C:/apache-tomcat-7.0.61/conf/tomcat.keytab" > > storeKey=true; > > }; > > > > C:\apache-tomcat-7.0.61\conf\krb5.ini > > > > [libdefaults] > > default_realm = DOMAIN.COM > > default_keytab_name = FILE:C:\apache-tomcat-7.0.61\conf\tomcat.keytab > > default_tkt_enctypes = > > rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 > > default_tgs_enctypes = > > rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 > > forwardable=true > > > > [realms] > > DOMAIN.COM = { > > kdc = DOMAIN-ad:88 > > } > > > > [domain_realm] > > dev.local= DOMAIN.COM > > .dev.local= DOMAIN.COM > > > > C:\apache-tomcat-7.0.61\conf\server.xml > > > > <Realm className="org.apache.catalina.realm.LockOutRealm"> > > <!-- This Realm uses the UserDatabase configured in the global JNDI > > resources under the key "UserDatabase". Any edits > > that are performed against this UserDatabase are immediately > > available for use by the Realm. --> > > <Realm className="org.apache.catalina.realm.UserDatabaseRealm" > > resourceName="UserDatabase"/> > > > > <Realm > > className="org.apache.catalina.realm.JNDIRealm" debug="99" > > connectionURL="ldap://DOMAIN-ad:389"; > > alternateURL="ldap://DOMAIN-ad:389"; > > connectionName="CN=ssoadmin,CN=Users,DC=DOMAIN,DC=com" > > connectionPassword="XXXX" > > referrals="follow" > > userBase="CN=Users, DC=DOMAIN, DC=com" > > userSearch="(sAMAccountName={0})" > > userSubtree="true" > > roleBase="CN=Users, DC=DOMAIN, DC=com" > > roleName="CN" > > roleSubtree="true" > > roleSearch="(member={0})" /> > > > > > > > > </Realm> > > > > > > C:\apache-tomcat-7.0.61\webapps\sample\META-INF\context.xnl > > > > <?xml version="1.0" encoding="UTF-8"?> > > <Context> > > <Valve className="org.apache.catalina.authenticator.SpnegoAuthenticator" > > /> > > </Context> > > > > > > > > C:\apache-tomcat-7.0.61\webapps\sample\WEB-INF\web.xml > > > > <?xml version="1.0" encoding="ISO-8859-1"?> > > <web-app xmlns="http://java.sun.com/xml/ns/j2ee"; > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > > xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee > > http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"; > > version="2.4"> > > > > > > > > <security-constraint> > > <display-name>All users</display-name> > > <web-resource-collection> > > <web-resource-name>All requests</web-resource-name> > > <url-pattern>/*</url-pattern> > > </web-resource-collection> > > <auth-constraint> > > <role-name>*</role-name> > > </auth-constraint> > > </security-constraint> > > > > <security-role> > > <description>All users</description> > > <role-name>*</role-name> > > </security-role> > > > > <login-config> > > <auth-method>SPNEGO</auth-method> > > </login-config> > > > > > > <display-name>Hello, World Application</display-name> > > <description> > > This is a simple web application with a source code > > organization > > based on the recommendations of the Application Developer's > > Guide. > > </description> > > > > <servlet> > > <servlet-name>HelloServlet</servlet-name> > > <servlet-class>mypackage.Hello</servlet-class> > > </servlet> > > > > <servlet-mapping> > > <servlet-name>HelloServlet</servlet-name> > > <url-pattern>/hello</url-pattern> > > </servlet-mapping> > > > > > > </web-app> > > > > > > > > My error is > > > > SEVERE: Unable to login as the service principal > > javax.security.auth.login.LoginException: Clock skew too great (37) > > at > > com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Kr > > b5LoginModule.java:804) > > at > > com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.ja > > va:617) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl. > > java:62) > > at > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces > > sorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:483) > > at > > javax.security.auth.login.LoginContext.invoke(LoginContext.java:755) > > at > > javax.security.auth.login.LoginContext.access$000(LoginContext.java:1 > > 95) > > at > > javax.security.auth.login.LoginContext$4.run(LoginContext.java:682) > > at > > javax.security.auth.login.LoginContext$4.run(LoginContext.java:680) > > at java.security.AccessController.doPrivileged(Native Method) > > at > > javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:6 > > 80) > > at > > javax.security.auth.login.LoginContext.login(LoginContext.java:587) > > at > > org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(Sp > > negoAuthenticator.java:192) > > at > > org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authentica > > torBase.java:577) > > at > > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.j > > ava:170) > > at > > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.j > > ava:103) > > at > > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java: > > 950) > > at > > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVal > > ve.java:116) > > at > > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.jav > > a:423) > > at > > org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp > > 11Processor.java:1079) > > at > > org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process( > > AbstractProtocol.java:620) > > at > > org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoin > > t.java:318) > > at > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor. > > java:1142) > > at > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor > > .java:617) > > at > > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskTh > > read.java:61) > > at java.lang.Thread.run(Thread.java:745) > > Caused by: KrbException: Clock skew too great (37) > > at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76) > > at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316) > > at > > sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361) > > at > > com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Kr > > b5LoginModule.java:776) > > ... 26 more > > Caused by: KrbException: Identifier doesn't match expected value (906) > > at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140) > > at sun.security.krb5.internal.ASRep.init(ASRep.java:64) > > at sun.security.krb5.internal.ASRep.<init>(ASRep.java:59) > > > > Ravindhar Konka | Software Engineering > > ravindhar_ko...@persistent.co.in<mailto:ravindhar_ko...@persistent.co.in>| > > Cell: +91-99633 74753 | Tel: +91-20-674 42058 > > Persistent Systems Ltd. | Partner in Innovation | > > www.persistent.com<http://www.persistent.com/> > > > > > > DISCLAIMER > > ========== > > This e-mail may contain privileged and confidential information which is > > the property of Persistent Systems Ltd. It is intended only for the use of > > the individual or entity to which it is addressed. If you are not the > > intended recipient, you are not authorized to read, retain, copy, print, > > distribute or use this message. If you have received this communication in > > error, please notify the sender and delete all copies of this message. > > Persistent Systems Ltd. does not accept any liability for virus infected > > mails. > > > > > DISCLAIMER > ========== > This e-mail may contain privileged and confidential information which is the > property of Persistent Systems Ltd. It is intended only for the use of the > individual or entity to which it is addressed. If you are not the intended > recipient, you are not authorized to read, retain, copy, print, distribute or > use this message. If you have received this communication in error, please > notify the sender and delete all copies of this message. Persistent Systems > Ltd. does not accept any liability for virus infected mails. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >
