Kerberos requires NTP synchronisation to be in place and working. Fix your clocks and the error should go away.
> From: ravindhar_ko...@persistent.com > To: users@tomcat.apache.org > Subject: Tomcat windows 7 authentication > Date: Thu, 7 May 2015 10:01:39 +0000 > > Hi > I am working on windows authentication with tomcat 7. > I have gone through the following doc. > windows-auth-howto > Tomcat_instance_(Windows_server)<http://shodhganga.inflibnet.ac.in:8080/docs/windows-auth-howto.html#Tomcat_instance_(Windows_server)> > > > apache-tomcat-7.0.61 > windows server 2008 R2 > java 1.8.0_25 > active directory machine ( DOMAIN-ad) > tomcat instance machine (windows-sso-demo) > username (ss0ad...@domain.com<mailto:ss0ad...@domain.com>) > password (XXXXXX) > > setspn -A HTTP/WINDOWS-SSO-DEMO ssoadmin > ktpass /out c:\tomcat.keytab /mapuser ssoad...@domain.com /princ > HTTP/windows-sso-d...@domain.com /pass XXXXX /kvno 0 > > C:\apache-tomcat-7.0.61\conf\jass.conf > > com.sun.security.jgss.krb5.initiate { > com.sun.security.auth.module.Krb5LoginModule required > doNotPrompt=true > principal="HTTP/windows-sso-d...@domain.com" > useKeyTab=true > keyTab="C:/apache-tomcat-7.0.61/conf/tomcat.keytab" > storeKey=true; > }; > > com.sun.security.jgss.krb5.accept { > com.sun.security.auth.module.Krb5LoginModule required > doNotPrompt=true > principal="HTTP/windows-sso-d...@domain.com" > useKeyTab=true > keyTab="C:/apache-tomcat-7.0.61/conf/tomcat.keytab" > storeKey=true; > }; > > C:\apache-tomcat-7.0.61\conf\krb5.ini > > [libdefaults] > default_realm = DOMAIN.COM > default_keytab_name = FILE:C:\apache-tomcat-7.0.61\conf\tomcat.keytab > default_tkt_enctypes = > rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 > default_tgs_enctypes = > rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 > forwardable=true > > [realms] > DOMAIN.COM = { > kdc = DOMAIN-ad:88 > } > > [domain_realm] > dev.local= DOMAIN.COM > .dev.local= DOMAIN.COM > > C:\apache-tomcat-7.0.61\conf\server.xml > > <Realm className="org.apache.catalina.realm.LockOutRealm"> > <!-- This Realm uses the UserDatabase configured in the global JNDI > resources under the key "UserDatabase". Any edits > that are performed against this UserDatabase are immediately > available for use by the Realm. --> > <Realm className="org.apache.catalina.realm.UserDatabaseRealm" > resourceName="UserDatabase"/> > > <Realm > className="org.apache.catalina.realm.JNDIRealm" debug="99" > connectionURL="ldap://DOMAIN-ad:389" > alternateURL="ldap://DOMAIN-ad:389" > connectionName="CN=ssoadmin,CN=Users,DC=DOMAIN,DC=com" > connectionPassword="XXXX" > referrals="follow" > userBase="CN=Users, DC=DOMAIN, DC=com" > userSearch="(sAMAccountName={0})" > userSubtree="true" > roleBase="CN=Users, DC=DOMAIN, DC=com" > roleName="CN" > roleSubtree="true" > roleSearch="(member={0})" /> > > > > </Realm> > > > C:\apache-tomcat-7.0.61\webapps\sample\META-INF\context.xnl > > <?xml version="1.0" encoding="UTF-8"?> > <Context> > <Valve className="org.apache.catalina.authenticator.SpnegoAuthenticator" /> > </Context> > > > > C:\apache-tomcat-7.0.61\webapps\sample\WEB-INF\web.xml > > <?xml version="1.0" encoding="ISO-8859-1"?> > <web-app xmlns="http://java.sun.com/xml/ns/j2ee" > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee > http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" > version="2.4"> > > > > <security-constraint> > <display-name>All users</display-name> > <web-resource-collection> > <web-resource-name>All requests</web-resource-name> > <url-pattern>/*</url-pattern> > </web-resource-collection> > <auth-constraint> > <role-name>*</role-name> > </auth-constraint> > </security-constraint> > > <security-role> > <description>All users</description> > <role-name>*</role-name> > </security-role> > > <login-config> > <auth-method>SPNEGO</auth-method> > </login-config> > > > <display-name>Hello, World Application</display-name> > <description> > This is a simple web application with a source code > organization > based on the recommendations of the Application Developer's > Guide. > </description> > > <servlet> > <servlet-name>HelloServlet</servlet-name> > <servlet-class>mypackage.Hello</servlet-class> > </servlet> > > <servlet-mapping> > <servlet-name>HelloServlet</servlet-name> > <url-pattern>/hello</url-pattern> > </servlet-mapping> > > > </web-app> > > > > My error is > > SEVERE: Unable to login as the service principal > javax.security.auth.login.LoginException: Clock skew too great (37) > at > com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Kr > b5LoginModule.java:804) > at > com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.ja > va:617) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl. > java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces > sorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:483) > at > javax.security.auth.login.LoginContext.invoke(LoginContext.java:755) > at > javax.security.auth.login.LoginContext.access$000(LoginContext.java:1 > 95) > at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682) > at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680) > at java.security.AccessController.doPrivileged(Native Method) > at > javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:6 > 80) > at javax.security.auth.login.LoginContext.login(LoginContext.java:587) > at > org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(Sp > negoAuthenticator.java:192) > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authentica > torBase.java:577) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.j > ava:170) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.j > ava:103) > at > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java: > 950) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVal > ve.java:116) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.jav > a:423) > at > org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp > 11Processor.java:1079) > at > org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process( > AbstractProtocol.java:620) > at > org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoin > t.java:318) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor. > java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor > .java:617) > at > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskTh > read.java:61) > at java.lang.Thread.run(Thread.java:745) > Caused by: KrbException: Clock skew too great (37) > at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76) > at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316) > at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361) > at > com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Kr > b5LoginModule.java:776) > ... 26 more > Caused by: KrbException: Identifier doesn't match expected value (906) > at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140) > at sun.security.krb5.internal.ASRep.init(ASRep.java:64) > at sun.security.krb5.internal.ASRep.<init>(ASRep.java:59) > > Ravindhar Konka | Software Engineering > ravindhar_ko...@persistent.co.in<mailto:ravindhar_ko...@persistent.co.in>| > Cell: +91-99633 74753 | Tel: +91-20-674 42058 > Persistent Systems Ltd. | Partner in Innovation | > www.persistent.com<http://www.persistent.com/> > > > DISCLAIMER > ========== > This e-mail may contain privileged and confidential information which is the > property of Persistent Systems Ltd. It is intended only for the use of the > individual or entity to which it is addressed. If you are not the intended > recipient, you are not authorized to read, retain, copy, print, distribute or > use this message. If you have received this communication in error, please > notify the sender and delete all copies of this message. Persistent Systems > Ltd. does not accept any liability for virus infected mails. >