Top of Page

Symmetric Keys  Symmetric Keys
Domain Time II Server
Version 5.2

This page configures the symmetric keys used by authenticating network protocols such as NTP and DT2.

Note: If you see the Policy Applied Group Policy applied indicator in the lower-left corner of the applet, there are settings on this page that are being overridden by an Active Directory Group Policy. Settings controlled by policy may be greyed-out or you may be otherwise prevented from making a change here. See the Active Directory page for more information on using Group Policies.

As of version 5.1, Domain Time supports two methods of network packet authentication: Windows Authentication and Symmetric Key Authentication.

Windows Authentication


Windows Authentication refers to the proprietary authentication method Microsoft uses to validate time packets between domain member machines and domain controllers (DCs). As of v5.1, Domain Time fully supports integrated Windows Authentication for both serving and obtaining the time within a domain.

    Important considerations (read the sidebar for more details):

    • Windows Authentication only works within a domain. That is, all machines exchanging time using Windows Authentication must be joined to the same domain (or forest).

    • Windows Authentication only works between domain members and domain controllers.

        While the domain member getting the time may be any kind of machine, the machine providing authenticated time must be a DC. Only a DC can validate the request. Other machines will not know the necessary shared secrets.

    • Windows Authentication is automatic, requiring no additional configuration on servers or clients.

    • Domain Time's Windows Authentication works with NTP, DT2-UDP, DT2-TCP, and DT2-HTTP protocols between Domain Time Servers and Clients. W32time only authenticates using NTP.

    • Windows Time (W32time) clients using "NT5DS" mode (the default domain member setting) can get authenticated NTP time natively from Domain Time Server running on a DC.

        NT5DS-mode W32time clients may also get authenticated time from DCs running Domain Time Client, however, W32time must be set to NoSync mode on the DC so that it provides the authenticate NTP timestamp.

        Although Domain Time Client will keep the DC's local clock highly accurate, using the W32time service to provide the authenticated time will result in reduced accuracy to the clients.

    • Domain Time Clients can obtain authenticated time from Windows DCs running only the W32time service. However, this is not recommended, since

      1. the Windows Time NTP service does a poor job of keeping the DC's local clock accurate, and
      2. the W32time NTP server itself adds additional inaccuracy to the network time being served.

    Recommended settings:
    Using Domain Time on your DCs is highly recommended.

    For v5.x Server on a DC:

    1. Verify that the NTP Server Enabled checkbox is checked on the Domain Time II Server Serve the Time property page AND

    2. the Windows Time mode: dropdown on the Server's Advanced property page is set to Disabled.

    For v5.x Client on a DC:

    1. the Windows Time mode: dropdown on the Advanced property page is set to NoSync.

    Other considerations

    • Cluster Service

      The Windows Cluster has a default startup dependency on W32time. It does not require the time service for any other purpose. Thus, the simple recommendation for installing Domain Time on clusters is to set the Windows Time mode: dropdown on the Advanced property page to NoSync, which allows the service to be running to satisfy the startup dependency, but allows Domain Time to set the cluster's clock.

        However, you may replace the cluster's startup dependency if you want. After installing Domain Time Client (or Server) on the cluster, use RegEdit to navigate to the following key:

        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\clussvc

        Change the DependOnService value (omitting the quotation marks) from "W32time" to "Domain Time Client" (or "Domain Time Server" if that's what's installed).

        The cluster service will then wait until Domain Time has started before starting the cluster. You can then set the Windows Time mode: dropdown on the Advanced property page to Disabled.

    • Reliable Time Provider

      DcDiag and other tools sometimes expect the Windows Time service to be running on DCs, even if it's not actually doing anything. These tools often depend upon the DC being flagged as a reliable time provider.

        Starting with v5.x, Domain Time Server, when installed on a DC, sets the system flags to indicate the machine is serving time and is a reliable time source. The DsGetDcName() function will report Domain Time Server v5.x machines on DCs as both time servers and reliable time sources. Domain Time Server on a non-DC will not change the existing system flags.

        You may override this behavior by editing the registry. In

        HKEY_LOCAL_MACHINE\Software\Greyware\Domain Time Server\Parameters

        edit (or create) a REG_SZ (string) value called "Set Reliable Time Provider" and set its value to either "True" or "False" (the English words, without the quotation marks). If this value is present and set to True, Domain Time Server will set the two flags even if it is not running on a DC. This configuration has no meaning for Active Directory, since only DCs are examined for the flags. Other tools, however, may benefit from knowing that a reliable time source is present. If this value is present and set to False, then Domain Time Server will not change the flags.

     

    Symmetric Key Authentication

    Domain Time v5.1 and above also supports Symmetric Key Authentication (MD5 hash of shared secrets). This type of authentication works with Domain Time v5.1 and above Servers and Clients, or any properly-configured NTP daemon version 3 and later (AutoKey is not supported).

      Domain Time Server and Client support symmetric authentication of client-server requests using the NTP, DT2-UDP, DT2-TCP, and DT2-HTTP protocols. Domain Time also supports broadcasting (both NTP and DT2-UDP) with a shared key and MD5 hash. Clients configured with the same key validate packets from the sending server by comparing the computed hash.

      The Keyring
      Symmetric Keys are kept in a list containing the Key number and the Key secret (password). This list is also known as a keyring.

        The keyring may contain a combination of trusted and untrusted keys.

        A trusted key means the key is available to be selected by the component, but the trusted key is not active until its key number is selected when configuring a unicast time source in the time sources list (or by using the Broadcast/multicast key section of this page for broadcasts/multicasts). Untrusted keys are ignored.

          Keys List

          There are various ways to configure the keyring on Domain Time II components:

        • Master and Independent Servers
          - manually using the Control Panel applet (on this page)
          - importing the keys from a properly-formatted keyring (ntp.keys) file
          - importing a previously-exported Domain Time .reg file.

        • Shared secrets are automatically replicated between Domain Time Masters and Slaves. No configuration of the Slaves is necessary.

        • Clients
          - manually using the Control Panel applet
          - importing the keys from a properly-formatted keyring (ntp.keys) file
          - importing a previously-exported Domain Time .reg file.
          - using Windows Group Policies

        Keyring

        Import/Export the Keyring (keys file)
        Click the
        Import/Export link in the Symmetric Keys section, which brings up a dialog where you can import or export a standard ntp.keys text file.

        This function is also very useful if you are sharing an ntp.keys file with other systems running an NTP daemon such as UNIX/Linux ntpd.

        Secrets Import/Export Dialog
        Secrets Import/Export Dialog   [Click for larger size]
      Hint: When possible, be sure all of your time systems are working correctly before enabling authentication. Authentication requires a correct setup on both ends of the connection, and changes at either end can cause a previously-working connection to fail. Disabling authentication temporarily should always be one of the first steps when troubleshooting a connection issue.

 

 Broadcast/Multicast Key 

Broadcast/Multicast Key:

This dropdown selects the trusted key to be used when signing Broadcast or Multicast time packets. Note this refers specifically to the "heartbeat" type of time packets sent to the network on a fixed schedule, as configured on the Serve the Time page.

    As with normal Symmetric Key authentication, Clients receiving the broadcast/multicast must also be using the same authentication key to decode the packet.

 

Next Proceed to the Logs and Status page
Back Back to the Security page

Domain Time II Software distributed by Microsemi, Inc.
Documentation copyright © 1995-2017 Greyware Automation Products, Inc.
All Rights Reserved
All Trademarks mentioned are the properties of their respective owners.