Sync Issues Can Arise for PCs with Poor VPN Connections

Microsoft this week reminded IT pros that PC connections through virtual private networks (VPNs) can sometimes lead to time synchronization issues, possibly causing reduced functionality for end users.

With the present work-from-home phenomenon, the timestamp of an Active Directory domain-joined PC can drift from a network's timestamp over time. Such a drift could start to happen if there are domain connectivity issues associated with the VPN that's used by an organization.

Here's how Microsoft expressed the issue:

What is new in recent times is the pervasive use of VPNs by almost everyone to work from home and the quality/reliability of the VPNs available in each case. These factors have affected the time synchronization on the domain client PCs at home. Over a period, domain clients with poor domain connectivity can experience loss of domain functionality or other functionality due to their system time drifting too far from the current time.

One sensitive aspect is the Kerberos security protocol, used for Windows authentications. It uses timestamps to safeguard against attackers that present impersonated credentials in so-called "replay attacks." If the time discrepancy between a network and client are too large, it can lead to issues.

Configuration Changes
Microsoft's announcement included a few "suggested configuration changes" to help ensure that clients get synchronized with Universal Time Coordinated (UTC) in some way, which is what the venerable Network Time Protocol (NTP), available via Internet connections, is supposed to do.

While it's possible for PCs to connect to NTP servers to sync their time, Microsoft offered a cautionary note on doing that, saying that "although this involves the use of unsecured NTP protocol, some techniques can be used to minimize potential risks."

Those techniques to assure security in connecting to NTP servers weren't spelled out in the announcement. Presumably, they are implicit in Microsoft's recommended configuration changes.

Microsoft did create a way to securely sync PCs via its "secure time seeding" feature. Secure time seeding is turned on by default in Windows 10 systems and has available since Microsoft's November 2015 Windows 10 release.

However, secure time seeding is mostly just there to support consumer machines, Microsoft explained:  

Secure time seeding feature was introduced in Windows as a means of correcting very large time errors on consumer PCs. Although this feature was not intended to keep time accurate enough for AD Domains, it can help correct large time errors in certain scenarios and allows SSL/TLS to function. The feature is enabled by default on domain machines also.

It Depends
Microsoft's advice for Active Directory domain-joined PCs consisted of making some possible registry changes to help keep PCs in sync. However, its recommendations were offered with an "it depends" viewpoint.

"The parameters mentioned above may need customization for your specific topology," Microsoft concluded. They will also require validation before rolling into production, the announcement added.

Such advice seemed to get echoed in a article by Microsoft MVP and author Brien Posey. In a somewhat different context, he observed that "in my experience, there is no one single technique that fixes clock sync problems every time."

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • Jumbled Word Cloud Graphic

    Q&A: How Microsoft Is Raising Azure Arc's Data Services Game

    Ignite 2020 saw the public preview of Azure Arc enabled data services, the latest step in Microsoft's bid to demystify multicloud. Principal program manager Travis Wright explains how it works.

  • Ivanti Buys MobileIron and Pulse Secure

    The acquisitions are expected to enhance Ivanti's mobile endpoint security offerings.

  • Microsoft Touts Azure as 'Carrier-Grade Platform' for Telcos Deploying 5G

    Microsoft has affirmed its software-defined networking infrastructure support for telecom companies, especially as they move more toward rolling out 5G wireless services.

  • Microsoft Rebrands Enterprise Security Solutions as 'Microsoft Defender'

    Microsoft took the occasion of its Ignite event last week to rebrand its enterprise security solutions for premises and cloud environments, mostly by putting "Microsoft Defender" on their names.

comments powered by Disqus