Use Cases

Configuring time synchronization between PingFederate and other servers

Some operations require time synchronization between guest servers and PingFederate. This task describes how to resolve time synchronization errors for various server platforms.

The following PingFederate error message is caused by either network latency or a time synchronization error:

ERROR [com.pingidentity.adapters.opentoken.BaseAuthnAdapter] Error decoding token
com.pingidentity.opentoken.TokenException: Invalid token; token is not yet valid (not-before > now)

For a network latency issue, see the Knowledge Base article not-before-tolerance

Component

PingFederate 9.x

Configuring time synchronization with VMware virtual servers

Synchronizing with PingFederate servers instead of the default internet time service can solve synchronization errors in Windows Virtual Machine servers.

Before you begin

Install VMware Tools on your guest OS. For more information, see .

Steps

  1. Go to Control Panel → Set the time and date → Internet Time tab → Change settings…​ and clear the Synchronize with an Internet time server check box.

  2. Open Command Prompt as an administrator.

  3. Enter time to verify that the host time is correct.

  4. Set the following .vmx configuration option to enable periodic synchronization.

    tools.syncTime=true

    By default the server will synchronize time every minute. Use the following command to change the synchronization frequency.

    tools.syncTime.period=time in seconds

Troubleshooting

VMware Tools time synchronization cannot correct the issue if the guest OS time is ahead of the server. In that case, use NTP or w32time to set your server clock.

Configuring time synchronization with standalone Windows servers

Standalone Windows servers synchronize time with the W32Time service.

Steps

  1. Open Command Prompt as an administrator.

  2. Start the W32Time service

    %windir%\system32\sc.exe start w32time task_started
    This command requires administrator rights.

  3. Synchronize the server with the W32Time service.

    %windir%\system32\w32tm.exe /resync

    The registry can also be modified to resync and perform other time-related tasks. For more information, see Windows Time Service Technical Reference.

Configuring time synchronization with Linux/Unix servers

Synchronize the time on most Linux/Unix servers using a simple ntpdate or rdate script.

Steps

  1. Before creating the cron job, test these commands as the root user using the following syntax:

    Choose from:

    • /usr/sbin/ntpdate -u  host

    • rdate  host  or rdate -u  host
      See the man page on your specific system for additional options.

  2. Use the following command to synchronize your time server. This example sets the synchronization event to occur at 04:00:

    # crontab -e
0 4***/usr/sbin/ntpdate -u  host