Configuring time synchronization between PingFederate and other servers

Configuring time synchronization between PingFederate and other servers - PingFederate

Use Cases

bundle

solution-guides

ft:publication_title

Use Cases

Product_Version_ce

category

ContentType

howtodoc

ContentType_ce

How-to

Some operations require time synchronization between guest servers and PingFederate. This task describes how to resolve time synchronization errors for various server platforms.

The following PingFederate error message is caused by either network latency or a time synchronization error:

ERROR [com.pingidentity.adapters.opentoken.BaseAuthnAdapter] Error decoding token 
com.pingidentity.opentoken.TokenException: Invalid token; token is not yet valid (not-before > now)

For a network latency issue, see the Knowledge Base article What should be the value of Not-Before-Tolerance in the OpenToken adapter configuration?

Component

PingFederate 9.x

Click the tab for your server platform to see the instructions for configuring time synchronization.

Configuring time synchronization with VMware virtual servers

Synchronizing with PingFederate servers instead of the default internet time service can solve synchronization errors in Windows Virtual Machine servers.

Install VMware Tools on your guest OS. For more information, see Timekeeping in VMware Virtual Machines.

Go to Control Panel > Set the time and date > Internet Time tab > Change settings... and clear the Synchronize with an Internet time server check box.
Open Command Prompt as an administrator.
Enter time to verify that the host time is correct.
Set the following .vmx configuration option to enable periodic synchronization.
```
tools.syncTime=true
```
By default the server will synchronize time every minute. Use the following command to change the synchronization frequency.
```
tools.syncTime.period=time in seconds
```

VMware Tools time synchronization cannot correct the issue if the guest OS time is ahead of the server. In that case, use NTP or w32time to set your server clock.

Configuring time synchronization with standalone Windows servers

Standalone Windows servers synchronize time with the W32Time service.

Open Command Prompt as an administrator.
Start the W32Time service
```
%windir%\system32\sc.exe start w32time task_started
```
Note: This command requires administrator rights.
Synchronize the server with the W32Time service.
```
%windir%\system32\w32tm.exe /resync
```
The registry can also be modified to resync and perform other time-related tasks. For more information, see Windows Time Service Technical Reference.

Configuring time synchronization with Linux/Unix servers

Synchronize the time on most Linux/Unix servers using a simple ntpdate or rdate script.

Before creating the cron job, test these commands as the root user using the following syntax:
- ```
/usr/sbin/ntpdate -u host
```
- ```
rdate host or rdate -u host
```
Note: See the man page on your specific system for additional options.
Use the following command to synchronize your time server. This example sets the synchronization event to occur at 04:00:
```
# crontab -e
0 4***/usr/sbin/ntpdate -u host
```