Sync Issues Can Arise for PCs with Poor VPN Connections
Microsoft this week reminded IT pros that PC connections through virtual private networks (VPNs) can sometimes lead to time synchronization issues, possibly causing reduced functionality for end users.
With the present work-from-home phenomenon, the timestamp of an Active Directory domain-joined PC can drift from a network's timestamp over time. Such a drift could start to happen if there are domain connectivity issues associated with the VPN that's used by an organization.
Here's how Microsoft expressed the issue:
What is new in recent times is the pervasive use of VPNs by almost everyone to work from home and the quality/reliability of the VPNs available in each case. These factors have affected the time synchronization on the domain client PCs at home. Over a period, domain clients with poor domain connectivity can experience loss of domain functionality or other functionality due to their system time drifting too far from the current time.
One sensitive aspect is the Kerberos security protocol, used for Windows authentications. It uses timestamps to safeguard against attackers that present impersonated credentials in so-called "replay attacks." If the time discrepancy between a network and client are too large, it can lead to issues.
Microsoft's announcement included a few "suggested configuration changes" to help ensure that clients get synchronized with Universal Time Coordinated (UTC) in some way, which is what the venerable Network Time Protocol (NTP), available via Internet connections, is supposed to do.
While it's possible for PCs to connect to NTP servers to sync their time, Microsoft offered a cautionary note on doing that, saying that "although this involves the use of unsecured NTP protocol, some techniques can be used to minimize potential risks."
Those techniques to assure security in connecting to NTP servers weren't spelled out in the announcement. Presumably, they are implicit in Microsoft's recommended configuration changes.
Microsoft did create a way to securely sync PCs via its "secure time seeding" feature. Secure time seeding is turned on by default in Windows 10 systems and has available since Microsoft's November 2015 Windows 10 release.
However, secure time seeding is mostly just there to support consumer machines, Microsoft explained:
Secure time seeding feature was introduced in Windows as a means of correcting very large time errors on consumer PCs. Although this feature was not intended to keep time accurate enough for AD Domains, it can help correct large time errors in certain scenarios and allows SSL/TLS to function. The feature is enabled by default on domain machines also.
Microsoft's advice for Active Directory domain-joined PCs consisted of making some possible registry changes to help keep PCs in sync. However, its recommendations were offered with an "it depends" viewpoint.
"The parameters mentioned above may need customization for your specific topology," Microsoft concluded. They will also require validation before rolling into production, the announcement added.
Such advice seemed to get echoed in a Redmondmag.com article by Microsoft MVP and author Brien Posey. In a somewhat different context, he observed that "in my experience, there is no one single technique that fixes clock sync problems every time."
About the Author
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.