Event ID 27 — Time Source Peer Authentication

Applies To: Windows Server 2008

Within an Active Directory forest, the Windows Time service (W32time) relies on standard domain security features to enforce the authentication of time data. The security of Network Time Protocol (NTP) packets that are sent between a domain member and a local domain controller that is acting as a time server is based on shared key authentication. The Windows Time service uses the local computer's Kerberos session key to create authenticated signatures on NTP packets that are sent across the network. When a computer requests the time from a domain controller in the domain hierarchy, the Windows Time service requires that the time be authenticated. The domain controller then returns the required information in the form of a 64-bit value that has been authenticated with the session key from the NetLogon service. If the returned NTP packet is not signed with the computer’s session key or if it is not signed correctly, the time is rejected. In this way, the Windows Time service provides security for NTP data in an Active Directory forest.


Event Details

Product: Windows Operating System
ID: 27
Source: Microsoft-Windows-Time-Service
Version: 6.0
Message: Time Provider NtpClient: The response received from domain controller %1 is missing the signature. The response may have been tampered with and will be ignored.


Investigate causes for invalid responses from the time source

The error in Event Viewer should provide additional information. There may be an operating system or network configuration error, rogue server, or attempted computer security attack. Verify that the network adapter is installed, enabled, and functioning properly. Ensure that TCP/IP is installed and configured properly.

For information about the Windows Time Service, see How the Windows Time Service Works (http://go.microsoft.com/fwlink/?LinkId=109275).

For information about configuring and troubleshooting TCP/IP, see Chapter 16 - Troubleshooting TCP/IP (http://go.microsoft.com/fwlink/?LinkId=109262) and Windows Server 2003 TCP/IP Troubleshooting (http://go.microsoft.com/fwlink/?LinkId=109264).

If you are not able to resolve this issue by correcting the network configuration, note the details in the event message, and then report this internal error to Microsoft Customer Service and Support (CSS). For information about contacting CSS, see Enterprise Support (http://go.microsoft.com/fwlink/?LinkId=52267).


To perform this procedure, you must have membership in Administrators, or you must have been delegated the appropriate authority.

To verify that the Windows Time service is synchronizing correctly:

  1. Open a command prompt as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  2. At the command prompt, type W32TM /resync, and then press ENTER.

  3. At the command prompt, type W32TM /query /status, and then press ENTER.

    This command displays the status of the Windows Time service synchornization. The Last Successful Sync Time line of the output displays the date and time that you ran the W32TM /resync command in the previous step.

To confirm that the Windows Time service synchronized successfully with its time source when you ran the W32TM /resync command, verify that Event ID 35 appears in Event Viewer.

For more information about the Windows Time service, see Windows Time Service Technical Reference http://go.microsoft.com/fwlink/?LinkID=25393).

Time Source Peer Authentication

Active Directory