Summary
You get an error in the HTTP logs similar to the following:
Error: LDAP module failed to initialize authentication [get_TGT : Clock skew too great Unknown error while getting initial ticket]
Error: MIT Kerberos5: get_TGT : Clock skew too great Unknown error while getting initial ticket\n
Error: MIT Kerberos5: get_TGT : Clock skew too great Unknown error while getting initial ticket\n
Details
The default skew range for InterScan Web Security Virtual Appliance (IWSVA) is five (5) minutes. You can see this value in the [libdefaults]/clockskew parameter of the krb5.conf file.
The error shows when the difference between the system time of IWSVA and Kerberos server is higher than the default skew range. To synchronize the time, point the IWSVA and Kerberos server to one of the NTP servers.
To add an NTP server in IWSVA:
- Log in to the IWSVA web console.
- Go to Administration > IWSVA Configuration > System Time.
- Configure the system time and time zone settings.
- Click Save.