kerberos： Clock skew too great (37) - PROCESS_TGS

kerberos认证失败错误信息：

Caused by: org.ietf.jgss.GSSException: No valid credentials provided (Mechanism level: Clock skew too great (37) - PROCESS_TGS)at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:772)at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:192)... 27 common frames omitted
Caused by: sun.security.krb5.KrbException: Clock skew too great (37) - PROCESS_TGSat sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:73)at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:251)at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:262)at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:308)at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:126)at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:466)at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:695)... 30 common frames omitted
Caused by: sun.security.krb5.Asn1Exception: Identifier doesn't match expected value (906)at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)at sun.security.krb5.internal.TGSRep.init(TGSRep.java:65)at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:60)at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:55)... 36 common frames omitted

分析原因：
时钟同步问题：所有参与 Kerberos 验证系统的主机都必须在指定的最长时间（称为时钟相位差）内同步其内部时钟。针对这一要求，需要进行另一种 Kerberos 安全检查。如果任意两台参与主机之间的时间偏差超过了时钟相位差，则客户机请求会被拒绝。时钟相位差的最大缺省值为 300 秒（5 分钟）。出于安全原因，不要将时钟相位差增大到超过 300 秒。

解决方案：
进行服务器时间同步

• https://blog.csdn.net/qq_63278311/article/details/132067221
• https://blog.csdn.net/O_Victorain/article/details/84200981
• https://forum.huawei.com/enterprise/zh/thread/580943064170643456
• https://www.cnblogs.com/bybdz/p/13685996.html
• http://www.hzhcontrols.com/new-1971742.html