000026173 - How to correct token offset  time when server drift time  is unknown

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000026173
Applies ToRSA ACE/Server
Setsync
Last login date
IssueHow to correct token offset  time when server drift time  is unknown
Synchronization Solutions INDEX:Guided list of solutions for Time/Token Synchissues for RSA ACE/Server
What are the various fields in setsyncint output file?
Most cards are going into next token code mode
Administrator ran setsyncint in read-only mode and created a report; needs to determine by how much time the users are offset
CauseServer time changed by unknown amount of time
ResolutionA sample file is created for explanation of the meaning of the fields.
Copy the setsyncint utility to ace/prog directory.
setsyncint -r >setsync.txt
The above command creates a .txt file in below given format.
There is no server for database C:\ACE\data\sdserv. (1423)
There is no server for database C:\ACE\data\sdserv. (1423)
000026110800 Sync:             -60 NTC   0 LLD  05/30/2003        LLT  4022
000006169421 Sync:             180 NTC   0 LLD  02/26/2003        LLT 18579
000026110801 Sync:               0 NTC   0 LLD  06/23/2003         LLT 65184
000006169422 Sync:             120 NTC   0 LLD  06/08/2001        LLT 17033
000026110802 Sync:             420 NTC   0 LLD  04/04/2003        LLT 78892
000006169423 Sync:               0 NTC   0 LLD  01/01/1986        LLT     0
000026110803 Sync:             -60 NTC   0 LLD  06/13/2003        LLT  3989
000006169424 Sync:             120 NTC   0 LLD  10/09/2001        LLT 59489
000030149137 Sync:               0 NTC   0 LLD  01/01/1986         LLT     0
000026110804 Sync:             -60 NTC   0 LLD  06/25/2003         LLT  4089
000006169425 Sync:             180 NTC   0 LLD  02/26/2002         LLT 15452
000006671651 Sync:             540 NTC   0 LLD  05/14/2003         LLT 74034
000030149138 Sync:               0 NTC   0 LLD  01/01/1986         LLT     0
000026110805 Sync:             420 NTC   0 LLD  03/20/2003         LLT 73139
000006169426 Sync:            -120 NTC   0 LLD  06/24/2003         LLT  9429
000006671652 Sync:              60 NTC   0 LLD  06/23/2003         LLT 45859
000030149139 Sync:               0 NTC   0 LLD  01/01/1986         LLT     0
Explanation of fields:
1.     000030149139               Token serial number
2.     Sync:  0                          Sync value is Token offset in seconds. Each token has a clock in it and will have a offset value depending on the token time drift
3.     NTC   0                           Next Tokencode Count is number of failed login attempts in a row
4.     LLD  01/01/1986             LLD is last login date
5.     LLT     0                           LLT is last login time in seconds since midnight on the last login date
To calculate the server offset value, follow these steps:
1. Run the setsyncint in read only mode - note the offset value (Value 1) for a specific token
2. Resynchronize the specific token using database administration
3. Run the setsyncint in read-only mode again - note the offset value 2
4. Subtract value 1 from value 2
5. Repeat steps 1 through 4 for 2 more tokens to verify the offset value
6. If the value is 240, run setsyncint as shown below:
  setsyncint  -all -y 240    (note the value 240 is positive)
  If the difference is -60, run setsyncint to correct the database as shown below:
  setsyncint -all -y -60     (note the value is negative)
How to fix ACE/Server time offset for token drift with the setsyncint utility on a Windows or UNIX ACE/Server. However, while correcting the database time, it takes the local time on the machine into account. Therefore, it is important to correct the machine time prior to running the Setsync utility. If the server time drift amount is not known, use "setsyncint -all -n -s" to set all tokens to 0 offset. In this case, you may need to resync some of the users tokens before they can authenticate.
setsyncint utility can be used to find the last login date and time. The tokens which are not used during the past year or two can be identified and can be deleted from the database.
 
Legacy Article IDa17229

Attachments

    Outcomes