Time Synchronization Issues
Local User Groups
BACK TO KNOWLEDGE BASE HOME >
Time Synchronization Issues
Issues with time differences on the network can manifest themselves in numerous ways, with PingFederate the most common error seen is:
ERROR [com.pingidentity.adapters.opentoken.BaseAuthnAdapter] Error decoding token
com.pingidentity.opentoken.TokenException: Invalid token; token is not yet valid (not-before > now)
This can be caused by a latency in the network or a time skew. For an network latency issue the best thing to do is modify the
Not Before Tolerance
for information on this please reference this
For persistent issues when you suspect a time skew/sync issue follow these directions depending on the server having the issue with setting the time.
VMware Virtual Servers
If your host time is correct, you can set the following
configuration file option to enable periodic synchronization:
tools.syncTime = true
By default, this synchronizes the time every minute. To change the periodic rate, set the following option to the desired synch time in seconds:
tools.syncTime.period = 60
For this to work you must have VMWare tools installed in your guest OS.
for more information
If the time drift on the guest OS is
VMware Tools time synchronization does not properly correct it and
must be used, see
for additional information.
have Internet both Time setting turned on in the Windows VM's (Control Panel > Date and Time > Internet Time tab) and the VM configuration file. This causes the guest OS to get time updates from two places and can cause unpredictable time results.
Standalone Windows Servers
On standalone windows servers reference use the W32Time service to sync with the PDC (typically the reference in Kerberos authenticated networks) The easiest and most reliable way to do this or create a scheduled task using the
This triggers a clock sync, provided the Windows Time service is running, (be sure to test it manually, note that the command requires administrator rights and that the service may need to be started.)
The task will have two actions. Make sure they are in the right order. The first action does the same as the original Synchronize Time task and ensures the Windows Time service is running. The second action makes the actual time sync happen.
Set the first action to start the w32time service, which is:
%windir%\system32\sc.exe with arguments start w32time task_started
Set the second action to do the actual resync:
with argument /
You can also modify the registry to resync and all kinds of tweaking with the time. If you wish to do that
reference the following Microsoft articles:
Linux / Unix Servers
Generally Linux and Unix servers can use ntpdate and rdate to sync to your internal reference time service. You can also run the ntp daemon but a simple cron script using one of these command is usually sufficient for most installations.
Be sure to test these commands as
before creating the cron job. The syntax (see the man page on your specific system for additional options and caveats) should be similar to:
/usr/sbin/ntpdate -u <host>
rdate <host> or rdate -u <host>
Using a cron job similar to below will update/correct your time in server at 04:00 (see
for details on creating the cron entry)
# crontab -e
0 4 * * * /usr/sbin/ntpdate -u <host>
KB or other URL: