DEVHIDE
Login Or Sign up

CAS Spnego Authentication issue || "Clock Skew Too Great (37)"

173 Views Asked by At

We have internal application using CAS for SSO login into LDAP server.

Users can login via SSO to the application as usual just that when the number of active users go beyond certain number (100), CAS returns error related to Authentication with the AD server and then issue doesn't get resolved unless CAS is restarted and User sessions are closed.

LUP CAS module has not been upgraded since past 2.5 years and is running as it is.

Issue Details:

Application log:

Caused by: java.lang.reflect.InvocationTargetException
    at jdk.internal.reflect.GeneratedMethodAccessor355.invoke(Unknown Source)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.base/java.lang.reflect.Method.invoke(Method.java:566)
    at jcifs.spnego.Authentication$ServerAction.run(Authentication.java:517)
    at jcifs.spnego.Authentication.processKerberos(Authentication.java:430)
    ... 197 more
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Clock skew too great (37))
    at java.security.jgss/sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:859)
    at java.security.jgss/sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:361)
    at java.security.jgss/sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:303)
    ... 202 more
Caused by: KrbException: Clock skew too great (37)
    at java.security.jgss/sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:302)
    at java.security.jgss/sun.security.krb5.KrbApReq.<init>(KrbApReq.java:149)
    at java.security.jgss/sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:139)
    at java.security.jgss/sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:832)
    ... 204 more
jcifs.spnego.AuthenticationException: Error performing Kerberos authentication: java.lang.reflect.InvocationTargetException
    at jcifs.spnego.Authentication.processKerberos(Authentication.java:447)
    at jcifs.spnego.Authentication.processSpnego(Authentication.java:346)
    at jcifs.spnego.Authentication.process(Authentication.java:235)
    at org.apereo.cas.support.spnego.authentication.handler.support.JcifsSpnegoAuthenticationHandler.doAuthentication(JcifsSpnegoAuthenticationHandler.java:72)
    at lup.security.cas.LupActiveDirectorySpnegoAuthenticationHandler.doAuthentication(LupActiveDirectorySpnegoAuthenticationHandler.java:43)
    at org.apereo.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler.authenticate(AbstractPreAndPostProcessingAuthenticationHandler.java:43)
    at jdk.internal.reflect.GeneratedMethodAccessor350.invoke(Unknown Source)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.base/java.lang.reflect.Method.invoke(Method.java:566)

2. Also some time we get this error,


Caused by: java.lang.reflect.InvocationTargetException

        at jdk.internal.reflect.GeneratedMethodAccessor315.invoke(Unknown Source)

        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

        at java.base/java.lang.reflect.Method.invoke(Method.java:566)

        at jcifs.spnego.Authentication$ServerAction.run(Authentication.java:517)

        at jcifs.spnego.Authentication.processKerberos(Authentication.java:430)

        ... 197 more

Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Request is a replay (34))

        at java.security.jgss/sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:859)

        at java.security.jgss/sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:361)

        at java.security.jgss/sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:303)

        ... 202 more

Caused by: KrbException: Request is a replay (34)

        at java.security.jgss/sun.security.krb5.internal.rcache.AuthList.put(AuthList.java:88)

        at java.security.jgss/sun.security.krb5.internal.rcache.MemoryCache.checkAndStore(MemoryCache.java:60)

        at java.security.jgss/sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:325)

        at java.security.jgss/sun.security.krb5.KrbApReq.<init>(KrbApReq.java:149)

        at java.security.jgss/sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:139)

        at java.security.jgss/sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:832)

 

Has anyone seens this issue. Any help would highly appreciated.

 

What we tried yet:

After doing google, we found that this is time sync issue between AD server and Application server. For this , with the help of server team, we fixed time synch using NTP tool. But even after this issue happening intermittently. Sometime it work after restarting application as well.

Expected

Any number of users can login CAS via SSO without any issue.

ldap single-sign-on kerberos cas spnego
Original Q&A
0

There are 0 best solutions below

Related Questions in LDAP

Related Questions in SINGLE-SIGN-ON

Related Questions in KERBEROS

Related Questions in CAS

Related Questions in SPNEGO

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Popular Questions

.

Copyright © 2021 Jogjafile Inc.