Windows Server and AD - Disable time sync on logon

0

I have a MS AD domain with some application servers all running Windows Server 2012 R2. The application has a special requirements: time shift between its database and the app servers must be less than 5 seconds. If there is a time difference of 2 seconds or more the application will set the machine time manually. If there is more than 5 or 10 seconds (can't remember) the app simply doesn't load.

I tried to rely on Active Directory time synchronisation mechanisms as I normally do but it does't work here. It needs to be more "accurate".

So my question is... knowing the risks of having a time de-synchronization between domain controlers and app server, is it possible to disable Windows time sync on logon in an Active Directory domain?

Remi Serriere

Posted 2018-07-30T16:44:51.403

Reputation: 1

Requiring a time difference below 5 seconds is actually a pretty common requirement, as far as distributed systems go... But I'm surprised that AD time sync doesn't provide that – doesn't it use NTPv4, which should be able to provide sub-second accuracy? Do both of your servers sync against the same domain controller? Are all of your dc's in sync? – user1686 – 2018-07-30T17:20:11.763

Typically all systems should be synced <1sec assuming the time-servers are properly set. Check this out https://support.microsoft.com/en-us/help/816042/how-to-configure-an-authoritative-time-server-in-windows-server Also https://docs.microsoft.com/en-us/windows-server/networking/windows-time-service/how-the-windows-time-service-works

– Jeff F. – 2018-07-30T18:04:17.353

The time sync on a domain is accurate. What you have is a problem elsewhere. I suspect you are running virtual machines and you have your clock settings wrong on the VM settings which cause the host system to interfere with the guest system’s time. Make sure the host system is also synced with a common time source and/or play with the host/guest clock settings. – Appleoddity – 2018-07-31T01:35:55.913

The thing is... The application itself uses the SQL NOW() function to get the database server date and time. If there is a difference of 2 seconds or more between the app server time and database time then the application forces a time change. Yes we are using virtual machines running on Azure. AD does provide time sync but the time returned by the SQL server might not be exactly the same as the AD server time, even if the SQL is running in the domain. That's why I want to disable time synchronisation at login... We WILL have time shift but it should be less than 5 minutes anyway. – Remi Serriere – 2018-07-31T08:47:48.747

Answers

0

Windows AD needs timestamps for AD replication conflicts and for Kerberos authentication. Kerberos uses them to protect against replay attacks---where an authentication packet is intercepted on the network and then resent later to authenticate on the original sender's behalf.

If the difference between the local time and the timestamp is too big, the authentication request is rejected and Kerberos authentication fails. Setting the time skew too high creates a higher risk for replay attacks. The default setting is five minutes.

Without the time being in sync between domain controllers and servers, it would not be possible to complete authentication. So Disabling Windows time sync on logon in an Active Directory domain can cause significant problems for authentication.

Daisy Zhou

Posted 2018-07-30T16:44:51.403

Reputation: 812

You aren't wrong, but AD requires the clock to be within 5 minutes per this question (https://superuser.com/questions/395966/how-inaccurate-must-the-clocks-time-be-for-ntlm-requests-to-be-denied-due-to-th). The requester intends the clock to be within 5 seconds. Your concern is not a risk they will face.

– Slartibartfast – 2018-07-31T03:52:04.230

Asked: 2018-07-30T16:44:51.403

Viewed: 801 times

Active: 2018-07-31T03:39:03.653