Re: cannot add active directory to my acs 5.0

ericohermoso · ‎10-06-2010

Hello,

I am adding active directory to my acs5.0 and i got this error "clock skew error"

My ACS has the same time with the active directory and same timezone GMT+3.

thanks

Vinay Sharma · ‎10-06-2010

Hi,

Since you are not able to get the Ad connection to work with the ACS 5.0 and getting "clock skew error".

ACS and AD must be time-synchronized to within 5 minutes. Time in ACS is set according to
the Network Time Protocol (NTP) server. Both AD and ACS should be synchronized by the same
NTP server. Using the command line interface on your appliance, you must configure the NTP
client to work with the same NTP server that the AD domain is synchronized with.

Here is the complete command reference guide.

CLI Reference Guide for the Cisco Secure Access Control System 5.0:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.0/command/re
ference/ACS_CLI_guide.html

Here are some commands highlighted for setting the time up.

ntp server:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.0/command/re
ference/CLIappA.html#wp1013780

clock timezone:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.0/command/re
ference/CLIappA.html#wp1013028

You can run the following commands to verify the time.

show clock:To display the day, month, date, time, time zone, and year of the system
software clock

show ntp :To show the status of the Network Time Protocol (NTP) associations

show timezone: To display the time zone as set on the systemYou can refer to the link below to setup the AD connection.

Microsoft Active Directory:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.0/user/guide
/users_id_stores.html#wp1053213

thanks,
Vinay

Thanks & Regards

ericohermoso · ‎10-06-2010

Hello,

Still clock skew problem. same time. acs timezone is UTC and windows server 2008 is UTC + 3 both have the same ntp server configure, of course same time.

What might be the additional workaround for this?

thank you and best regards

Vinay Sharma · ‎10-06-2010

It seems to be turns out that due to DST. Check the ACS timezone is it EST (show timezones display EST5EDT) and AD timezone is Eastern? So is the
timezones matches?

See below:
http://www.travelmath.com/time-zone/EST5EDT#

Thanks & Regards

ericohermoso · ‎10-06-2010

Hello,

I will try this timezone this coming thursday, Maybe timezone problem.

thanks

ericohermoso · ‎10-07-2010

Hi Vinashar

My options in my active directory is using UTC, so I use UTC + 3 timezone. How can i adjust my ACS to UTC+3 timezone of my active directory. I tried GMT+3 in my ACS and UTC+3 in my active directory and still clock skew error..

thanks

Vinay Sharma · ‎10-07-2010

Hi,

Lets try the following command and see if it fixes it.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.0/command/reference/CLIappA.html#wp1036987

http://www.worldtimeserver.com/convert_time_in_UTC.aspx

Thanks,

Vinay

Thanks & Regards

ericohermoso · ‎10-09-2010

hi vinashar,

just try again if i can add the active directory and still clock skew problem. The timezone of my Active directory is UTC+3 and my ACS is GMT+3. Of course, I have the same time.

vialves · ‎10-21-2010

Guys, I had the exact same issue. In order to solve it, I removed the NTP configuration from my ACS (my AD is not using NTP) and adjusted it manually until I get the difference between them of 3 seconds. I configured the same timezone on both sides, but I cannot guarantee that it's required.

Let me know if that works for you.