THE INFORMATION IN THIS ARTICLE APPLIES TO:
- Mail Express, v3.3 and later
SYMPTOM
Using Single Sign On (SSO) to log in to Mail Express triggers "Clock skew too great" error
RESOLUTION
Make sure the server running Mail Express and the Kerberos or Active Directory domain controller have synchronized clocks.
MORE INFORMATION
Clients can be prevented from authenticating by the mechanisms that Kerberos authentication uses to prevent "replay" attacks. In a replay attack, a malicious user captures the network traffic and replays it to trick the authenticating server into accepting the attacker as a legitimate user who is providing credentials. If this error occurs frequently for users in your system (and you know your network is not being attacked), you could change the value of the "Maximum tolerance for computer clock synchronization" to a higher value. Refer to the Microsoft Technet article Authentication Errors are Caused by Unsynchronized Clocks for more information.