Tentacles must be in same timezone as server

Hi.

Just noticed that tentacles cannot pass their health-check when they are in a different timezone. This causes the following exception:

	2013-11-07 22:59:36 ERROR  System.ServiceModel.Security.MessageSecurityException: An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail. ---> System.ServiceModel.FaultException: An error occurred when verifying security for the message.
	   --- End of inner exception stack trace ---

	Server stack trace:
	   at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.ProcessReply(Message reply, SecurityProtocolCorrelationState correlationState, TimeSpan timeout)
	   at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout)
	   at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.DoOperation(SecuritySessionOperation operation, EndpointAddress target, Uri via, SecurityToken currentToken, TimeSpan timeout)
	   at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.GetTokenCore(TimeSpan timeout)
	   at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout)
	   at System.ServiceModel.Security.SecuritySessionClientSettings`1.ClientSecuritySessionChannel.OnOpen(TimeSpan timeout)
	   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
	   at System.ServiceModel.Channels.ReliableChannelBinder`1.ChannelSynchronizer.SyncWaiter.TryGetChannel()
	   at System.ServiceModel.Channels.ReliableChannelBinder`1.ChannelSynchronizer.SyncWaiter.TryWait(TChannel& channel)
	   at System.ServiceModel.Channels.ReliableChannelBinder`1.ChannelSynchronizer.TryGetChannel(Boolean canGetChannel, Boolean canCauseFault, TimeSpan timeout, MaskingMode maskingMode, TChannel& channel)
	   at System.ServiceModel.Channels.ClientReliableChannelBinder`1.Request(Message message, TimeSpan timeout, MaskingMode maskingMode)
	   at System.ServiceModel.Channels.RequestReliableRequestor.OnRequest(Message request, TimeSpan timeout, Boolean last)
	   at System.ServiceModel.Channels.ReliableRequestor.Request(TimeSpan timeout)
	   at System.ServiceModel.Channels.ClientReliableSession.Open(TimeSpan timeout)
	   at System.ServiceModel.Channels.ReliableRequestSessionChannel.OnOpen(TimeSpan timeout)
	   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
	   at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
	   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
	   at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
	   at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
	   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
	   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
	   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

To work around, place the tentacle in the same timezone.

Hi Andy,

Yes, this is somewhat by design; when the times are out, the encrypted messages sent between servers can’t be verified since they could be a replay from a man-in-the-middle attack.

Paul

Surely the timestamps should be in UTC however, not local time?

Andy Clarke / solution architect
+64 9 308 2247 / +64 21 608 398 / andy@terabyte.co.nzmailto:andy@terabyte.co.nz / twitter @andy_clr

Hi Andy,

Actually I misread this. Yes, UTC time is used. Encryption will fail if the clocks are out of sync, but it doesn’t matter if they are in the same time zone or not. Is it possible that the clocks were wrong, and that changing the time zone corrected them?

Paul