kerberos: Clock skew too great (37) – PROCESS_TGS
kerberos认证失败错误信息:
Caused by: org.ietf.jgss.GSSException: No valid credentials provided (Mechanism level: Clock skew too great (37) - PROCESS_TGS)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:772)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:192)
... 27 common frames omitted
Caused by: sun.security.krb5.KrbException: Clock skew too great (37) - PROCESS_TGS
at sun.security.krb5.KrbTgsRep.(KrbTgsRep.java:73)
at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:251)
at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:262)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:308)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:126)
at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:466)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:695)
... 30 common frames omitted
Caused by: sun.security.krb5.Asn1Exception: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
at sun.security.krb5.internal.TGSRep.init(TGSRep.java:65)
at sun.security.krb5.internal.TGSRep.(TGSRep.java:60)
at sun.security.krb5.KrbTgsRep.(KrbTgsRep.java:55)
... 36 common frames omitted
分析原因:
时钟同步问题:所有参与 Kerberos 验证系统的主机都必须在指定的最长时间(称为时钟相位差)内同步其内部时钟。针对这一要求,需要进行另一种 Kerberos 安全检查。如果任意两台参与主机之间的时间偏差超过了时钟相位差,则客户机请求会被拒绝。时钟相位差的最大缺省值为 300 秒(5 分钟)。出于安全原因,不要将时钟相位差增大到超过 300 秒。
解决方案:
进行服务器时间同步
- https://blog.csdn.net/qq_63278311/article/details/132067221
- https://blog.csdn.net/O_Victorain/article/details/84200981
- https://forum.huawei.com/enterprise/zh/thread/580943064170643456
- https://www.cnblogs.com/bybdz/p/13685996.html
- http://www.hzhcontrols.com/new-1971742.html