Not able to login to RHEVM portal as Active Directory User

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Virtualization 3.3

Issue

Not able to login to RHEVM portal as Active Directory User.

Following errors are seen in /var/log/ovirt-engine/engine.log:

2014-04-06 12:52:26,191 ERROR [org.ovirt.engine.core.bll.adbroker.DirectorySearcher] (ajp-/127.0.0.1:8702-6) Failed ldap search server LDAP://example.com:389 using user administrator@abc.COM due to Authentication Failed. The Engine clock is not synchronized with directory services (must be within 5 minutes difference). Please verify the clocks are synchronized. We should try the next server
2014-04-06 12:52:26,191 ERROR [org.ovirt.engine.core.bll.adbroker.LdapAuthenticateUserCommand] (ajp-/127.0.0.1:8702-6) Failed authenticating user: administrator to domain example.com. Ldap Query Type is getUserByName
2014-04-06 12:52:26,191 ERROR [org.ovirt.engine.core.bll.adbroker.LdapBrokerCommandBase] (ajp-/127.0.0.1:8702-6) Failed to run command LdapAuthenticateUserCommand. Domain is example.com. User is administrator.
2014-04-06 12:52:26,192 ERROR [org.ovirt.engine.core.bll.LoginAdminUserCommand] (ajp-/127.0.0.1:8702-6) USER_FAILED_TO_AUTHENTICATE : administrator
2014-04-06 12:52:26,192 WARN  [org.ovirt.engine.core.bll.LoginAdminUserCommand] (ajp-/127.0.0.1:8702-6) CanDoAction of action LoginAdminUser failed. Reasons:USER_FAILED_TO_AUTHENTICATE
2014-04-06 12:52:39,690 ERROR [org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy] (ajp-/127.0.0.1:8702-4) Kerberos error: Clock skew too great (37)
2014-04-06 12:52:39,691 ERROR [org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy] (ajp-/127.0.0.1:8702-4) Authentication Failed. The Engine clock is not synchronized with directory services (must be within 5 minutes difference). Please verify the clocks are synchronized

Resolution

The RHEVM server and Active Directory server clocks are not synchronized to within the five-minute buffer. Take steps necessary to ensure that the system times between the RHEVM and AD will stay within those five minutes.

Root Cause

The engine clock is not synchronized with directory services.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.