Friday, March 28, 2014

Kerberos and the Clock

Time is ticking away. Tick tick ticking away...
Time keeps on slipping, slipping, slipping... into the future...

Enough song references. Windows 8, like Windows 7, Vista, XP, and 2000 before it, is a tool that takes its clock very seriously. What is it that all of these operating systems have in common? The ability to join an active directory domain that is secured by Kerberos, the authentication protocol named for the mythical 3-headed dog of the underworld that guards the gates to hell. This is something to take seriously.

Here is the quick picture of Kerberos from Microsoft's web site (http://technet.microsoft.com/en-us/library/bb742516.aspx)


The essential element to get here is that after identifying herself as Sue (name & password, smart card, etc) to the Authentication Service (an Active Directory Domain Controller) the Ticket Granting Service (which is also the Active Directory Domain Controller) provides a Ticket Granting Ticket (TGT) that will be used by Sue automatically to request access for any services. Access to each service is granted by way of a Service Ticket (ST) that is issued on demand as we try and use each service, whether it be the local workstation or a remote server.
Each Service Ticket will have a time stamp based upon when the ticket was issued. When a service receives a service ticket from the client signed by the Ticket Granting Service, not only does it verify the digital signature of the service, it also checks the time stamp to ensure that the ticket is no more than 5 minutes more or less than the current local system clock. This helps to prevent an occurrence of a replay attack. If there is too much "time skew" the service will deny the access attempt.

Remember this begins with the local logon service!

So we need to have the correct time on all of our clients and servers when in a domain environment. This is why there is a user right to change the system time that is NOT granted to standard users, but only to local administrators. This is to prevent Joe User from setting their clock ten minutes fast (to ensure they don't miss their meetings), only to be blindsided and unable to logon! But in many cases users are made members of the local Administrators group, which then allows for localized changes to time.

That's why there is a local service at work on the client to keep the clocks synchronized. The name of this service is w32time or "Windows Time". This service is based upon the use of a protocol called Simple Network Time Protocol or (SNTP) that operates on UDP port 123. In previous versions of Windows the command-line way to manage this tool was through the NET TIME /SetSNTP command. In Windows 8 if you issue this command you will receive the message "The /QUERYSNTP and /SETSNTP options have been deprecated. Please use w32tm.exe to configure the Windows Time Service." So off we go to the new and improved time sync utility!
W32tm will need to be run in an administrative command prompt. To discover your current configuration use the command
w32tm /query /configuration /verbose
Here is sample output from a domain environment:
?
By default your TYPE value in a domain will be NT5DS. This means the local machine will use an NT5 (Windows 2000) or later DS (Directory Service domain controller) to sync your time. The first domain controller in the domain is tagged as the default "PDC emulator." This means that in addition to standard authentication procedures, this DC has extra responsibilities, including being the focal point for all time synchronizations in the domain! Clients can find the PDC emulator automatically through a DNS lookup.
However, having all clients point to the PDC emulator may not make sense if you have a geographically distributed environment. So you can point to one or more time servers manually to override this default behavior. By default all Windows 8 clients and Windows 2012 servers are listening for SNTP requests on port 123 (Though you may have to make an exception in the Windows firewall to allow access)
To change your configuration to point to a specific machine use the command
w32tm /config /ManualPeerList:" ?" /SyncFromFlags:Manual
/ManualPeerList defines the space-separated list of SNTP servers to use (That's why we have to put them in quotes if we have more than one)
/SyncFromFlags indicates that instead of using Active Directory we want to use our own list of SNTP servers.
Having done so, if we run the w32tm /query /configuration /verbose command again we see the following:
?
As you can see, we are now set to use NTP - which will only use our manually specified time servers.
Our earlier command of w32tm /config /SyncFromFlags can be used with 4 different configurations which will display with the w32tm /query /configuration command as 4 different "Types."
/SyncFromFlags: Value
?
?
?
/Query /Configuration Type Result
?
?
?
Effect
?
?
?
Manual
?
?
?
NTP
?
?
?
Sets system to use servers specified in the /ManualPeerList configuration
?
?
?
DomHeir
?
?
?
NT5DS
?
?
?
Sets system to use the PDC emulator
?
?
?
All
?
?
?
AllSync
?
?
?
Attempts to use the PDC emulator, but then fails over to your manually specified time servers
?
?
?
No
?
?
?
NoSync
?
?
?
Disables using NTP at all, even though the service is started
?
?
?
Of course, you have active directory... what are you doing at the command line? Go make a group policy!
Configure Windows NTP Client. As you can see, once you get there it is pretty straight-forward.
 

No comments: