How to Tame the "Time out of Bounds" Error

Mary Ziegler

If you run Eudora, SAP, or any other application that uses Kerberos 
authentication, you may encounter "Time out of bounds" or "clock skew" 
errors. This article explains why these errors occur and what you need 
to do to correct the situation.

The Role of Kerberos
Kerberos is MIT's authentication system. In simple terms, you prove 
your identity to a service on the network by providing your password, 
and Kerberos decides if you should have access to that service based on 
your identity. 

As part of the authentication process, Kerberos compares the time on 
the network time server (time.mit.edu) to the time on the accessing 
computer. If the times are very different, Kerberos will refuse to 
authenticate, instead displaying the "Time out of bounds" error. To 
correct this, you need to synchronize your computer's system clock to 
within five minutes of the time on the network time server.

Secrets of Synchronization
The time on the network time server should be close to the time given 
when you dial the Time of Day Service at 637-1234. If you prefer, you 
can determine the exact time on the network time server: a few ways to 
do this are described near the end of the article.
 
Once you know the time, you are ready to synchronize. The procedure 
depends on the platform and operating system you use; see the bulleted 
section that follows. Keep in mind that your computer's clock is 
sensitive to daylight savings time and time zone settings. You should 
check these settings before you reset the time. After you have 
synchronized, you will need to restart your machine.

* Macintosh 7.5.x: Open the Date & Time Control Panel. Click the Set 
Time Zone button to select a city in your time zone - Boston is 
listed. Then set the system clock to the correct time. (Don't turn on 
the Daylight Savings Time checkbox, since it's not in effect at this 
time of year.) Also, if you have the Map Control Panel installed, be 
sure to select your current location.

* Macintosh, operating systems earlier than 7.5.x: Open the Map Control 
Panel to set your location and the General Controls Control Panel to 
set the time.
 
* Windows 3.1: If you use Windows 3.1 on MITnet, you should have 
LANWorkPlace installed on your machine. LANWorkPlace has a batch 
file that sets the time zone and gets the network time whenever 
the program loads, so it's unlikely that you'll get a "Time out of 
bounds" error with this setup. If you do, check the time on your 
system clock.
 
* Windows 95: Check the settings under the Date/Time Control Panel: 
be sure that the correct time zone has been selected and that you 
have turned on the checkbox that reads "Automatically adjust clock 
for daylight savings changes." You should also make sure your system 
clock is set to the right time.
 
If you still have problems after restarting your machine, check your 
autoexec.bat file to make sure it includes the line
 
set tz=edt5edt
 
This sets the time zone correctly.
   
Checking the Network Time
As mentioned earlier, it's possible to determine the time on the 
network time server. Here's how.

* Macintosh: Install Network Time 2.01, a shareware Control Panel 
available from the CSS File Server in the IS-CSS AppleTalk zone. The 
path is Public:Freeware-Shareware: Network:Network Time. Read the 
accompanying Network Time QuickStart for directions.

* Windows: Open the Leash.exe program (in c:\net\mit) and click on 
the Synchronize Time button. The server time will be displayed.

* Athena: At the athena% prompt, type date.

Time for Help?
If you continue to have problems with "Time out of bounds" errors, 
contact the Computing Help Desk at x3-0001 or <computing-help@mit.edu>.