Error: "Token current time is out of validity range"

When connecting to or logging into Verastream Host Integrator (VHI), you may see the following error:

This error message typically occurs with one of the following events:

• When security is enabled on the Session Server, and your client application is attempting to connect.
• In version 6.6 or earlier, when security is enabled, and you are logging into Administrative WebStation.
• In version 6.6 or earlier, when security is enabled on the load balancing domain, and your client application is attempting to connect via domain.

Check the time and time zone configuration of your systems. On Linux/UNIX systems, set the system clock by running the date command as the superuser (root user). To avoid recurring problems due to clock drift, use NTP or time protocol to regularly synchronize system clocks.

In version 6.6 or earlier, clocks on the systems running Session Server and AADS services should be less than 3 seconds apart, to ensure authentication can complete within 5 seconds.

Beginning in version 7.0, clocks on the systems running Session Server and Management Server services should be less than 5 minutes apart. In addition to the token duration of 5 seconds, there is a configurable token grace period which defaults to 300 seconds (5 minutes). The tokenGracePeriod property can be adjusted by editing the ManagementServer/services/vhi/META-INF/service-ctx.xml file. Changes take effect after restarting the Management Server service. For information on manually restarting the service, see KB 7021352.

This error occurs when clocks are not synchronized across multiple systems in the Host Integrator installation environment. This problem can also surface when heavily-loaded networks or CPUs cause processing delays. Authentication tokens have short timeouts to avoid replay attacks.

Legacy KB ID

This article was originally published as Attachmate Technical Note 10104.