|
This error is seen when the time difference (skew) between the client machine and Service and the Kerberos Key Distribution Center (KDC) is too large for the authentication process to succeed.
In Kerberos authentication, time synchronization plays a crucial role. The Kerberos protocol relies on timestamps to ensure the security and validity of authentication requests. If the time on the client machine or the KDC or the FortiGate is not synchronized (i.e., the clocks differ by more than a certain threshold), Kerberos will reject the authentication attempt, leading to the 'Clock skew too great' error.
A good practice is to use the same NTP server across all the network devices. If not, then adjust the time manually to the same time in the Windows Active Directory, Client Machine, and FortiGate.
The Skew can be adjusted in the Windows Active Directory by following the below path. The default value is 5 minutes and it is not recommended to tweak this setting.
From the Windows terminal, type gpedit.msc -> Navigate to Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Kerberos Policy -> Max tolerance for computer clock synchronization.
Below is the error which can be seen in the logs:
diag wad debug enable category auth
diag wad debug enable level verbose
diag debug enable
[I][p:518][s:12110505][r:184590895] wad_auth_rule_match :1329 match auth rule succ: kerberos_rule
[I][p:518][s:12110505][r:184590895] wad_http_req_get_user :12254 process=518 auth-rule=kerberos_rule user=/0/0 ip-based/auth-cookie/transact=1/0/0 tp_proxy
_auth=1 auth_req=(nil) auth_line=(nil)
[I][p:518][s:12110505][r:184590895] wad_http_auth_status_proc :11503 authenticate result=cp-redir
[I][p:518] wad_hauth_method_chg_get :1505 method:http-mix->http-mix hdr=
[I][p:518] wad_http_auth_status_proc :11503 authenticate result=challenge
[V][p:518] wad_hauth_trace :180 trace_no_auth_resp is disabled
[I][p:518] wad_hauth_method_chg_get :1505 method:http-mix->http-mix hdr=
[I][p:518] wad_http_auth_status_proc :11503 authenticate result=challenge
[V][p:518] wad_hauth_trace :180 trace_no_auth_resp is disabled
[I][p:518] wad_hauth_method_chg_get :1505 method:http-mix->Negotiate hdr=Neg
[I][p:518] wad_krb_err_print :46 Error returned by gss_accept_sec_context: major:d0000 Hex minor:100006 Dec
[I][p:518] wad_krb_err_print :57 major error <1> Unspecified GSS failure. Minor code may provide more information
[I][p:518] wad_krb_err_print :70 minor error <1> Clock skew too great
[I][p:518] wad_negotiate_del_ctx :927 release krb nego output buffer:0
[E][p:518] wad_nego_authenticate :271 Error occurred during krb authentication.
[I][p:518] wad_http_auth_status_proc :11503 authenticate result=failure
|
