Windows Server 2012 R2 Secure / authenticated (i.e. using MD5 signed packets) NTP implementation (client) with an external (non AD) Time Server

Question

I would like to ask if Windows Server 2012 R2 is able to authenticated NTP implementation (acting as a client) and using a defined (not Kerberos or AD related) symmetric key for authenticating and exchanging the NTP packets.

The NTP protocol defines the use of an MD5 hash for validating the authentication of NTP from a server. There is no need to encrypt NTP, but there may be a need for a client to verify the server. As @Marc-Antoine Favreau points out, SNTP is something different. — Ron Maupin, Jan 30 '17 at 16:24

score 2 · Answer 1 · answered Jan 30 '17 at 15:52

To my knowledge SNTP means "Simple Net Time Protocle" and not "Secure". Also, the Windows NTP service can only use Kerberos as a mean of authentication.

The Simple Network Time Protocol (SNTP) is a simplified time protocol that is intended for servers and clients that do not require the degree of accuracy that NTP provides. SNTP, a more rudimentary version of NTP, is the primary time protocol that is used in Windows 2000. Because the network packet formats of SNTP and NTP are identical, the two protocols are interoperable. The primary difference between the two is that SNTP does not have the error management and complex filtering systems that NTP provides. For more information about the Simple Network Time Protocol, see RFC 1769 in the IETF RFC Database.

How the Windows Time Service Works

score 1 · Answer 2 · answered Jan 30 '17 at 17:00

1

No. Microsoft has a custom authentication mechanism in their NTP implementation of the Windows Time Service, but not as you describe. It's also used only for authentication. The Authenticator and ExtendedAuthenticator extensions are published here:

[MS-SNTP]: Network Time Protocol (NTP) Authentication Extensions
https://msdn.microsoft.com/en-us/library/cc246877.aspx

answered Jan 30 '17 at 17:00

Greg Askew

35,880
5
54
82

Thank you for your comment - I edited the question accordingly. Could someone please clarify if if would be possible to configure the built in Windows Server NTP client (actually the SNTP client) to perform authentication against an external NTP server (accessible over the Internet and not part of any client-side known AD Domain), providing NTP authentication based services (i.e MD5 hashing using a pre-defined symmetric key) ? – Ottootto Jan 31 '17 at 10:39

Windows Server 2012 R2 Secure / authenticated (i.e. using MD5 signed packets) NTP implementation (client) with an external (non AD) Time Server

2 Answers2