Unable to log on to BlackBerry Administration Service due to clock time skew

Article ID: KB18177

Type: Support Content

Last Modified: 05-29-2013

 

Product(s) Affected:

  • BlackBerry Enterprise Server 5
  • BlackBerry Business Cloud Services for Microsoft Office 365
CollapseEnvironment
  • BlackBerry Enterprise Server 5.0
  • BlackBerry Business Cloud Services for Microsoft Office 365 
  • DT 301644
CollapseOverview

If a time skew (difference) exists between the server clock on the computer that hosts the BlackBerry Administration Service Application Server (BAS-AS) and BlackBerry Administration Service Native Code Container (BAS-NCC) and the Domain Controller, users will not be able to log on to BlackBerry Administration Service and the following error will appear on the BlackBerry Administration Service page:

The username, password, or domain is not correct. Please correct the entry.

CollapseCause

The error displayed by BlackBerry Administration Service is misleading, because the root cause of this problem is that there is a time skew greater than 5 minutes between the clock on the server hosting the BlackBerry Administration Service and the clock of the Domain Controller providing authentication services (KDC role).

The following log line appears in the BlackBerry Administration Service Application Server (BAS-AS) log file:

{http-<BASName>%2F10.200.26.82-443-1} [com.rim.bes.basplugin.activedirectory.ActiveDirectoryManagerBean] [INFO] [ADAU-1000] {u=SystemUser, t=32681} loginAsLdapUser failed to authenticate LDAP user=besadmin, realm=<Domain>, kdc=<Domain Controller providing KDC services) javax.security.auth.login.LoginException: Clock skew too great (37)

Note: The realm=<Domain> and kdc=<Domain Controller providing KDC services> values will be unique to each environment.

 
The following log line appears in the BlackBerry Administration Service Application Server (BAS-AS) 5.0.2 log file:

(07/14 15:03:53:499):{http-servername%2F127.0.0.1-443-1} [com.dstc.security.kerberos.jaas.KerberosLoginModule] [ERROR] login failed: Kerberos error creating ticket: com.dstc.security.kerberos.KerberosError: Clock skew too great
KrbError:
 Error code: 37
 Error message: null
 Client name: null
 Client realm: null
 Client time: null
 Server name: krbtgt/<DomainController>
 Server realm: Domain
 Server time: Wed Jul 14 14:58:46 EDT 2010

The log line indicates the BlackBerry Administration Server's time and the Server time: shows the Domain Controller's time.

Note: This issue is not inherent in the BlackBerry Administration Service, but it is a result of the time skew in the environment between a Windows Server and a Domain Controller.

CollapseResolution

Ensure that there is not a clock skew of greater than 5 minutes between the server that hosts the BlackBerry Administration Service Application Server (BAS-AS) and BlackBerry Administration Service Native Code Container (BAS-NCC) and the Domain Controller providing authentication services (KDC). This can be accomplished by making that particular Domain Controller the time source for the server hosting BlackBerry Administration Service - Application Server (BAS-AS) and BlackBerry Administration Service - Native Code Container (BAS-NCC) or having them synchronize their clocks/time from a common time source.

This can also be resolved by manually eliminating the clock skew (changing the time) between the two servers so that there is not a time skew in excess of 5 minutes.

The following command can be used to set the clock to the time on the Domain Controller being used:

net time \\<Domain controller from KDC error> /set

To determine the authenticating Domain Controller in use by the BlackBerry Enterprise Server, open Command Prompt, type set l and press Enter.

Restarting the Windows Time service will also reset the time, however, it may not use the specific domain controller.

Disclaimer

By downloading, accessing or otherwise using the Knowledge Base documents you agree:

   (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and

   (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.


Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.