Time Source Peer Authentication

Applies To: Windows Server 2008 R2

Within an Active Directory forest, the Windows Time service (W32time) relies on standard domain security features to enforce the authentication of time data. The security of Network Time Protocol (NTP) packets that are sent between a domain member and a local domain controller that is acting as a time server is based on shared key authentication. The Windows Time service uses the local computer's Kerberos session key to create authenticated signatures on NTP packets that are sent across the network. When a computer requests the time from a domain controller in the domain hierarchy, the Windows Time service requires that the time be authenticated. The domain controller then returns the required information in the form of a 64-bit value that has been authenticated with the session key from the NetLogon service. If the returned NTP packet is not signed with the computer’s session key or if it is not signed correctly, the time is rejected. In this way, the Windows Time service provides security for NTP data in an Active Directory forest.

 

Events

Event ID Source Message

25

Microsoft-Windows-Time-Service

The time provider NtpClient cannot determine whether the response received from %1 has a valid signature. The response will be ignored. The error was: %2

26

Microsoft-Windows-Time-Service

Time Provider NtpClient: The response received from domain controller %1 has a bad signature. The response may have been tampered with and will be ignored.

27

Microsoft-Windows-Time-Service

Time Provider NtpClient: The response received from domain controller %1 is missing the signature. The response may have been tampered with and will be ignored.

Time Source Peer

Active Directory