Unable to login in TIBCO Spotfire client - Kerberos authentication fails with error "Failure unspecified at GSS-API level (Mechanism level: Clock skew too great (37))"

Unable to login in TIBCO Spotfire client - Kerberos authentication fails with error "Failure unspecified at GSS-API level (Mechanism level: Clock skew too great (37))"

book

Article ID: KB0072912

calendar_today

Updated On:

Products Versions
Spotfire Server All

Description

With Kerberos authentication for Spotfire enabled, the end users are unable to log in using Analyst or web clients. The Kerberos authentication fails and the TIBCO Spotfire Server server.log contains error messages like the following:

server.security.KerberosAuthenticator: Failure when executing privileged Kerberos authentication action
org.ietf.jgss.GSSException: Failure unspecified at GSS-API level (Mechanism level: Clock skew too great (37))

 

Issue/Introduction

Kerberos Authentication fails with error "Failure unspecified at GSS-API level (Mechanism level: Clock skew too great (37))". To resolve the issue, ensure that the time is propertly synchronized between all the machines involved.

Environment

All

Resolution

This is an external Kerberos issue. For security reasons (to avoid replay attacks) Kerberos requires the time on the KDC and the systems involved to be “loosely” synchronized. This means that the systems are allowed to be out of sync with the KDC within 5 minutes, which is the default. Clock skew too great means that the difference for the time (date+time) between the server and client is more than 5 minutes.

To resolve the issue, ensure that the time is synchronized between all the machines involved - the KDC (Usually Active Directory server), TIBCO Spotfire server, Node manager, and the clients accessing the Spotfire server. For more details, please refer to this Microsoft article: https://docs.microsoft.com/en-us/previous-versions/tn-archive/bb463167(v=technet.10)?redirectedfrom=MSDN

Additional Information

Powered by Wolken Software