Video Screencast Help

symantec web gateway kerberos authentication

Created: 26 Aug 2013 | 3 comments

i have an error " ! An LDAP error was encountered: Webgate time setting varies by more than the maximum amount allowed by Kerberos server. Either sync Webgate with Kerberos server time settings, or increase the maximum variation allowed on your Kerberos server. " 

 

as i see in article

http://www.symantec.com/docs/TECH163366

i changed the Maximum tolerance for computer clock synchronization to 10 but the problem not solved

 

as i see in the forum

https://www-secure.symantec.com/connect/forums/swg-50318-vs-windows-server-2008-r2-kerberos-authentication

his solution is : I've found what is wrong. I've specified FQDN instead of IP in Kerberos settings and error is gone.

where in kerberos settings i didnt understand

 

i need help for this problem if possible

Discussion Filed Under:

Comments 3 CommentsJump to latest comment

SMLatCST's picture

Your error is different from that in the linked forum post.  His was that the SWG failed because it couldn't contact the DC using kerberos auth.  Just to clarify, all he did was change the "LDAP Server IP or Hostname" field from the IP he was using. to the FQDN (apparently leaving kerberos as automatic).

Your issue appears to be because the time on the SWG is different from that of your DC (LDAP Server).  Can you check in Administration -> Configuration -> Time on the SWG and confirm it is pointing at the same NTP source as your DC?

shimaa mohammed's picture

swg point to the dc in the time (the DC is the ntp for the SWG) 

SMLatCST's picture

And have you verified the time?  As indicated by the reg changes you made and the continued error message, the DC seems to think your SWG is more than 10 minutes out of sync.

Have you reviewed the below articles on the error?

http://www.symantec.com/docs/TECH145410
http://www.symantec.com/docs/TECH170661