Time Synchronization Issues

Time Synchronization Issues

Published: 09/07/2014

Issues with time differences on the network can manifest themselves in numerous ways, with PingFederate the most common error seen is:

 
ERROR [com.pingidentity.adapters.opentoken.BaseAuthnAdapter] Error decoding token 
com.pingidentity.opentoken.TokenException: Invalid token; token is not yet valid (not-before > now)
 
This can be caused by a latency in the network or a time skew.  For an network latency issue the best thing to do is modify the Not Before Tolerance for information on this please reference this KB article
 
For persistent issues when  you suspect a time skew/sync issue follow these directions depending on the server having the issue with setting the time.
 
VMware Virtual Servers
 
If your host time is correct, you can set the following .vmx configuration file option to enable periodic synchronization:
 
tools.syncTime = true
 
By default, this synchronizes the time every minute. To change the periodic rate, set the following option to the desired synch time in seconds:
 
tools.syncTime.period = 60
 
For this to work you must have VMWare tools installed in your guest OS.
 
Note: If the time drift on the guest OS is forward, VMware Tools time synchronization does not properly correct it and NTP or w32time must be used, see KB1006427 for additional information. 
 
Note: You cannot have Internet both Time setting turned on in the Windows VM's (Control Panel > Date and Time > Internet Time tab) and the VM configuration file. This causes the guest OS to get time updates from two places and can cause unpredictable time results.
 
Standalone Windows Servers 
 
On standalone windows servers reference use the W32Time service to sync with the PDC (typically the reference in Kerberos authenticated networks) The easiest and most reliable way to do this or create a scheduled task using the W32tm.exe tool, with /resync argument.
 
This triggers a clock sync, provided the Windows Time service is running, (be sure to test it manually, note that the command requires administrator rights and that the service may need to be started.)
 
The task will have two actions. Make sure they are in the right order. The first action does the same as the original Synchronize Time task and ensures the Windows Time service is running. The second action makes the actual time sync happen.
 
Set the first action to start the w32time service, which is:

 
%windir%\system32\sc.exe with arguments start w32time task_started
 
Set the second action to do the actual resync:
 
%windir%\system32\w32tm.exe with argument /resync
 
You can also modify the registry to resync and all kinds of tweaking with the time. If you wish to do that
reference the following Microsoft articles: 773061 and 884776
 
 
Linux / Unix Servers
 
Generally Linux and Unix servers can use ntpdate and rdate to sync to your internal reference time service. You can also run the ntp daemon but a simple cron script using one of these command is usually sufficient for most installations.

Be sure to test these commands as root before creating the cron job. The syntax (see the man page on your specific system for additional options and caveats) should be similar to: 
 
 
          /usr/sbin/ntpdate -u <host>
Or
          rdate <host> or rdate -u <host> 
 
Using a cron job similar to below will update/correct your time in server at 04:00 (see man crontab for details on creating the cron entry) 
 
# crontab -e
0 4 * * * /usr/sbin/ntpdate -u <host>
 
 
Category:
Administration , 
KB or other URL: