| Symmetric Keys
|Domain Time II Server|
This page configures the symmetric keys used by authenticating network protocols such as NTP and DT2.
If you see the Group Policy applied indicator in the lower-left corner of the applet,
there are settings on this page that are being overridden by an Active Directory Group Policy. Settings controlled by policy may be greyed-out or you may be otherwise prevented from making a change here.
See the Active Directory page for more information on using Group Policies.
As of version 5.1, Domain Time supports two methods of network packet authentication: Windows Authentication and Symmetric Key Authentication.
Windows Authentication refers to the proprietary authentication method Microsoft uses to validate time packets
between domain member machines and domain controllers (DCs). As of v5.1, Domain Time fully supports integrated
Windows Authentication for both serving and obtaining the time within a domain.
- Verify that the NTP Server Enabled checkbox is checked on the Domain Time II Server Serve the Time property page AND
- the Windows Time mode: dropdown on the Server's Advanced property page is set to Disabled.
For v5.x Client on a DC:
- the Windows Time mode: dropdown on the Advanced property page is set to NoSync.
- Cluster Service
The Windows Cluster has a default startup dependency on W32time. It does not require the time service for any other purpose. Thus,
the simple recommendation for installing Domain Time on clusters is to set the Windows Time mode: dropdown on the
Advanced property page to NoSync, which allows the service to be
running to satisfy the startup dependency, but allows Domain Time to set the cluster's clock.
However, you may replace the cluster's startup dependency if you want. After installing Domain Time Client (or Server) on the cluster, use RegEdit
to navigate to the following key:
Change the DependOnService value (omitting the quotation marks) from "W32time" to "Domain Time Client" (or "Domain Time Server" if that's what's installed).
The cluster service will then wait until Domain Time has started before starting the cluster. You can then set the Windows Time mode: dropdown on the
Advanced property page to Disabled.
Reliable Time Provider
DcDiag and other tools sometimes expect the Windows Time service to be running on DCs, even if it's not actually doing anything. These tools
often depend upon the DC being flagged as a reliable time provider.
HKEY_LOCAL_MACHINE\Software\Greyware\Domain Time Server\Parameters
Starting with v5.x, Domain Time Server, when installed on a DC,
sets the system flags to indicate the machine is serving time and
is a reliable time source. The DsGetDcName() function will report
Domain Time Server v5.x machines on DCs as both time servers and
reliable time sources. Domain Time Server on a non-DC will not
change the existing system flags.
You may override this behavior by editing the registry. In
edit (or create) a REG_SZ (string) value called "Set Reliable Time
Provider" and set its value to either "True" or "False" (the
English words, without the quotation marks). If this value is
present and set to True, Domain Time Server will set the two flags
even if it is not running on a DC. This configuration has no
meaning for Active Directory, since only DCs are examined for the
flags. Other tools, however, may benefit from knowing that a
reliable time source is present. If this value is present and set
to False, then Domain Time Server will not change the flags.
Symmetric Key Authentication
Domain Time v5.1 and above also supports Symmetric Key Authentication (MD5 hash of shared secrets). This type of authentication
works with Domain Time v5.1 and above Servers and Clients, or any properly-configured NTP daemon version 3 and later (AutoKey is not supported).
Import/Export link in the Symmetric Keys section, which brings up a dialog where you can import or
export a standard ntp.keys text file.
Domain Time Server and Client support symmetric authentication of client-server requests using the NTP, DT2-UDP, DT2-TCP, and DT2-HTTP protocols.
Domain Time also supports broadcasting (both NTP and DT2-UDP) with a shared key and MD5 hash. Clients configured with the same key validate packets from the sending
server by comparing the computed hash.
Symmetric Keys are kept in a list containing the Key number and the Key secret (password). This list is also known as a keyring.
The keyring may contain a combination of trusted and untrusted keys.
A trusted key means the key is available to be selected by the component,
but the trusted key is not active until its key number is selected when configuring a
unicast time source in the time sources list (or by using the Broadcast/multicast key section of this page for broadcasts/multicasts).
Untrusted keys are ignored.
Import/Export the Keyring (keys file)
This function is also very useful if you are sharing an ntp.keys file with other systems running an NTP daemon such as UNIX/Linux ntpd.
Hint: When possible, be sure all of your time systems are working correctly before enabling authentication.
Authentication requires a correct setup on both ends of the connection, and changes at either end can cause a
previously-working connection to fail. Disabling authentication temporarily should always be one of the first steps
when troubleshooting a connection issue.
This dropdown selects the trusted key to be used when signing Broadcast or Multicast time packets. Note this refers specifically to the "heartbeat" type of time
packets sent to the network on a fixed schedule, as configured on the Serve the Time page.
As with normal Symmetric Key authentication, Clients receiving the broadcast/multicast must also be using the same authentication key to decode the packet.
Proceed to the Logs and Status page
Back to the Security page