Resolving Clock Skew Issues
The Snow Commander ecosystem includes many systems with which Commander integrates or interacts. Some of these, particularly Active Directory and vCenter, can exhibit unwanted behavior when the time is not synchronized with your Commander application server.
For example when the time is not synchronized across systems, and the difference (clock skew) between the time for Commander and your directory service is too great, you will not be able to login with a directory account but will still be able to access Commander using a local account such as the default superuser.
When this is the case, you will see messages similar to the following in the identityservice.log file:
In Commander, you can also check the status of the directory services integration:
- In the Commander admin console, browse to Configuration > Identity and Access.
- Switch to the Authentication tab.
- If a caution sign appears beside an integrated directory service, this indicates issues with the integration, such as time synchronization. If the directory service integration is working normally, there will be no caution sign.
- Click Edit and immediately Save the configuration without making any changes. You will receive an error if time synchronization is preventing success:
- Correlate the failures with the clock skew errors in the log as demonstrated in the example above and you confirm the issue is with network time.
To resolve, you must make sure that the Commander application server and the out-of-synch systems are all using the same time server. It's a good idea to use an external time source, for example Google's:
time1.google.com time2.google.com time3.google.com time4.google.com
However, the best option is to speak with your network admin to confirm whether or not there is a preferred server on the network. Either way, all servers should be configured to use the same time.