Symmetric Keys
Domain Time II Client Version 5.2 |
This page configures the symmetric keys used by authenticating network protocols such as NTP and DT2.
Note:
If you see the Group Policy applied indicator in the lower-left corner of the applet,
there are settings on this page that are being overridden by an Active Directory Group Policy. Settings controlled by policy may be greyed-out or you may be otherwise prevented from making a change here.
See the Active Directory page for more information on using Group Policies.
As of version 5.1, Domain Time supports two methods of network packet authentication: Windows Authentication and Symmetric Key Authentication.
Windows Authentication
Windows Authentication refers to the proprietary authentication method Microsoft uses to validate time packets
between domain member machines and domain controllers (DCs). As of v5.1, Domain Time fully supports integrated
Windows Authentication for both serving and obtaining the time within a domain.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\clussvc
Change the DependOnService value (omitting the quotation marks) from "W32time" to "Domain Time Client" (or "Domain Time Server" if that's what's installed).
The cluster service will then wait until Domain Time has started before starting the cluster. You can then set the Windows Time mode: dropdown on the
Advanced property page to Disabled.
Reliable Time Provider
DcDiag and other tools sometimes expect the Windows Time service to be running on DCs, even if it's not actually doing anything. These tools
often depend upon the DC being flagged as a reliable time provider.
Starting with v5.x, Domain Time Server, when installed on a DC,
sets the system flags to indicate the machine is serving time and
is a reliable time source. The DsGetDcName() function will report
Domain Time Server v5.x machines on DCs as both time servers and
reliable time sources. Domain Time Server on a non-DC will not
change the existing system flags.
You may override this behavior by editing the registry. In
HKEY_LOCAL_MACHINE\Software\Greyware\Domain Time Server\Parameters
edit (or create) a REG_SZ (string) value called "Set Reliable Time
Provider" and set its value to either "True" or "False" (the
English words, without the quotation marks). If this value is
present and set to True, Domain Time Server will set the two flags
even if it is not running on a DC. This configuration has no
meaning for Active Directory, since only DCs are examined for the
flags. Other tools, however, may benefit from knowing that a
reliable time source is present. If this value is present and set
to False, then Domain Time Server will not change the flags.
Symmetric Key Authentication
v5.x Domain Time Clients and Servers support Symmetric Key Authentication (hash of shared secrets). As of version 5.2.b.20170922 Domain Time
supports both MD5 and SHA1 hashes; older versions are MD5-only.
Domain Time Server and Client support symmetric authentication of client-server requests using NTP (version 3 and later; AutoKey is not supported), DT2-UDP, DT2-TCP, and DT2-HTTP protocols.
Domain Time also supports broadcasting (both NTP and DT2-UDP) with a shared key and hash. Clients configured with the same key validate packets from the sending
server by comparing the computed hash.
SHA1 keys are always exactly forty hex characters long. MD5 keys are ASCII text; different implementations of the NTP daemon have allowed
different maximum key lengths. In general, an MD5 key should be composed only from 7-bit ASCII-printable text, excluding space, tab, and
the # character. MD5 keys should be at least 8 characters long, and should not exceed 20 characters. Some versions of NTP daemons
allow lengths of 32, while others have a maximum of 8 or 16. You will need to choose MD5 keys that are interoperable with all of your
various devices and daemons.
The Keyring
Symmetric Keys are kept in a list containing the Key number and the Key secret (password). This list is also known as a keyring.
The keyring may contain a combination of trusted and untrusted keys.
A trusted key means the key is available to be selected by the component,
but the trusted key is not active until its key number is selected when configuring a
unicast time source in the time sources list (or by using the Broadcast/multicast key section of this page for broadcasts/multicasts).
Untrusted keys are ignored.
Import/Export the Keyring (keys file)
Click the Import/Export link in the Symmetric Keys section, which brings up a dialog where you can import or
export a standard ntp.keys text file.
This function is also very useful if you are sharing an ntp.keys file with other systems running an NTP daemon such as UNIX/Linux ntpd.
Hint: When possible, be sure all of your time systems are working correctly before enabling authentication.
Authentication requires a correct setup on both ends of the connection, and changes at either end can cause a
previously-working connection to fail. Disabling authentication temporarily should always be one of the first steps
when troubleshooting a connection issue.
This dropdown selects the trusted key to be used when signing Broadcast or Multicast time packets. Note this refers specifically to the "heartbeat" type of time
packets sent to the network on a fixed schedule, as configured on the Serve the Time page.
As with normal Symmetric Key authentication, Clients receiving the broadcast/multicast must also be using the same authentication key to decode the packet.
Proceed to the Logs and Status page
Back to the Security page
|