April 2006 - Posts

Saturday, April 29, 2006 10:31 AM

Configuring Windows Time Service

Time synchronization is an almost invisible, but critical, task on your network.  Windows 2000 and 2003 Active Directories will always attempt to use Kerberos to authenticate users from one computer or service to another.  Kerberos relies on accurate time to prevent credential spoofing.  If the two machines are more than five minutes apart in time, the receiving computer won't accept the Kerberos ticket as authentic.  Time synchronization also allows logs from different servers and network devices to be compared and trusted as an accurate sequence of events.  (Often used in security analysis.)

Getting the Windows Time Service to work correctly was something I struggled with for a long time.  Since I haven't always followed a strict change management process (ahem) my experiments probably took me further from the solution.  One of my new coworkers asked me about difficulty he was having, and it prompted me to fix things once and for all.

These are the key things to keep in mind:

  • Group policy is only used when you have an unusual configuration, such as using a non-Windows time server internally.  A Cisco router would be a candidate for this role.
  • The domain controller with the PDC Emulator role is the root of your internal time infrastructure.
  • An NTP client application can help you diagnose networking issues.

To determine which domain controller holds the PDC role, open Active Directory Users and Computers.  Right-click on the domain object in the left-hand pane, and select Operations Master.  Click on the PDC tab - the dialog box will tell you which server you're looking for.

Windows Group Policy has a number of Time service settings you can manage.  These policies are located at Computer Policy | Administrative Settings | System | Windows Time Service.  To confirm that Group Policy configurations aren't interfering with your efforts, use the Group Policy Management Console to find any GPOs that modify any of these settings.  If you find any, modify them this way: 

  • The Global Configuration Settings GPO should be Not Configured. 
  • Under Time Providers,
    • Enable Windows NTP Client should be Enabled
    • Configure Windows NTP Client should be Not Configured.
    • Enable Windows NTP Server can be disabled as long as this GPO does not apply to the PDC.  You can manage this with GPO blocking or not applying the GPO above the PDC's computer object.

Log into the server with the PDC emulator role.  Download the NISTIME application from here.  This file is the actual executable, no installer required.  Run the application, go to File | Select Server, and check the checkbox labelled "Using NTP Format" alongside the first timeserver listed.  Click OK.  Next, click Query Server and select Now.  If you get an immediate response, your firewall is allowing Network Time Protocol (NTP) traffic to pass back and forth.  If the application gives a "No response" error, look into issues with your firewall(s).

Next, you will configure the PDC emulator to use an external time source.  Start a command prompt and enter the following:  net time /setsntp:time.windows.com,0x1  The 0x1 parameter is needed if you enter the NTP server's name as a fully-qualified domain name.  You can leave the comma and the parameter off if you enter an IP address.  Note that using IP addresses is not a best practice as providers may change IPs on their servers and update the DNS entry without widely announcing the change.

Next, open a command prompt and enter w32tm /config /update.  This too should return a result quickly.  Compare the time on the computer clock with the results of the NISTIME application.  When our systems are working, the time difference is  generally under 2/100ths of a second.

As a final check of the servers, enter the w32tm /monitor from the command prompt.  This command should list:

  • all the domain controllers
  • identify the PDC emulator
  • list the time differences between the PDC emulator and the computer running the w32tm command
  • list the source of each server's time.  Your PDC emulator should list an external time source, while the other domain controllers should list the PDC emulator as their source.

Assuming the server is now retrieving time correctly, the final step is to make sure clients are updating correctly.  If you made any changes to your Group Policy, run GPUPDATE from the command prompt to refresh your client's settings.  Once that has completed, check the application event log on the computer and look for an event from SeCli stating that the security policy has been applied successfully.  You can stop and start the time service by entering net stop w32time && net start w32time at the command prompt.

If the client settings are configured correctly, you can look in the System event log and find an event from source W32time stating that the time service is now synchronizing with time source {any domain controller.}  You can also enter w32tm /resync at the command prompt.

If there are large adustments to be made to the client's clock, they will not be made abruptly.  The computer will slow its clock to 1/4th to 1/2 the normal speed until the time is synchronized.  The event in the System Log will be the immediately available sign that the updates are working.

Posted by jdevries
Friday, April 21, 2006 4:50 PM

More on Kerberos and Delegation Troubleshooting

After working on three or four projects, troubleshooting delegation issues isn't as difficult as I first thought.  I'll list the tools I use and then start working thru the troubleshooting steps. (I'll assume people have a basic understanding of the technology and terminology.)  This article will cover client PC settings and the settings on the server that the client is talking directly to.  The next article will have a process for walking thru an installation that uses service accounts and/or hostheaders.  (The truly complicating factors)

Microsoft has a pretty complete set of tools for troubleshooting Kerberos issues.  The ones I rely upon are:

  • adsiedit.msc
  • search.vbs (a part of the Windows support tools, on the server CD)
  • logon success auditing
  • setspn (limited, adsiedit is much easier to work with)

This should be all you need, assuming that the underlying Kerberos infrastructure is working correctly.

For troubleshooting web applications, the first things to check are the clients' browser settings.  When you open the page you want to delegate, if you are prompted for a username / password, either Internet Explorer or IIS isn't configured to pass integrated credentials along.  If you  then authenticate to the page, check to see which security zone your browser says it is in.  Integrated authentication only works in the Local Intranet and the Trusted Sites zones.  I recommend not using the Trusted Sites zone, as the Local Intranet zone offers a bit more security to the client's browser, and has a rule to allow a hostname url (ie without the domain name, such as http://portal) to automatically be a member.

If IE claims you are in the Internet zone, the browser settings need to be adjusted.  You can either manually add the site to the Intranet zone, or deploy that change via Group Policy

Once the security zone is correct, confirm that integrated authentication is enabled.  Within IE, go to Tools > Internet Options > Security.  Highlight the Local Intranet icon and click the Custom Level button.  Scroll to the bottom of the list of security rights and confirm that the "Automatic Logon only in..." radio button is selected.  Cancel out of that dialog and go to the Advanced tab of Internet Options.  Scroll down to the security section and confirm "Enable Integrated..." is checked.

At the client level, the only things remaining to check is that the computer is a member of a domain that is in the same forest as the target server.  Confirm that the  variance between the server's clock and the computer's clock is not greater than five minutes (time zones notwithstanding.)

To confirm the client is configured correctly, go to the server and open up the Local Security Policy.  Drill into Local Policies and then Audit Policy.  Enable SUCCESS auditing for account logon and logon events.  In the security event viewer, this audit setting will generate entries every time someone authenticates to the local server.  The important part here is that the event record will show the authentication method used, whether it is NTLM or Negotiate.  (AKA Kerberos)

If the logon events show only NTLM entries, we need to look at some of the server's authentication settings.  On the web app or virtual directory you're trying to authenticate to, check the website's properties.  Go to the Directory security tab and click the Edit button within the Authentication box.  For integrated authentication to work correctly, it has to be the ONLY box checked.  Any other auth methods, including anonymous, will prevent kerberos from working.

According to this KB Article, the auth methods of IIS 5.0 can be confirmed by entering the following line, launched from c:\inetpub\wwwroot.  I assume IIS6 comes configured correctly, out of the box.

cscript adsutil.vbs get w3svc/NTAuthenticationProviders

If you don't get this response,

NTAuthenticationProviders       : (STRING) "Negotiate,NTLM",

you need to reconfigure the the server so it does.  The usual disclaimers about modifying your metabase apply - have good backups!  To change the auth methods, enter the following:

cscript adsutil.vbs set w3svc/NTAuthenticationProviders "Negotiate,NTLM"
 
The final thing to check is a little more application focused - the web.config file of any .Net project relying on impersonation should have the line <identity impersonate="true" /> in it.
 
Once these settings have been either confirmed or corrected, try reloading the original web page.  Next, check your security audit log and look for successful logon events.  Confirm that these entries are for your user account, in the correct timeframe, and that the "Authentication Package" doesn't read NTLM.
 
If you still can't generate a Kerberos login, you may have to dig further into the underlying Kerberos / Active Directory infrastructure.  As mentioned before, a time variance of more than five minutes will cause Kerberos to fail.  The support tools offers several other applications to help in troubleshooting.
 
One interesting thing I found is that when using IE on the same machine that you're connecting to via IIS, is that NTLM, and not Kerberos,  is the authentication protocol with the highest precedence.  As far as I know, there is no way to change this behavior.  Use a separate client machine for testing.  The rules about security zones and domain membership still apply though.
 
Next time:  How to make that second server in the chain work, how host headers and service accounts make things more difficult, and how to break it down into manageable pieces.
 
Posted by jdevries with 2 comment(s)
Filed under: ,
Tuesday, April 04, 2006 1:44 PM

Domain Registry of America

Every few weeks, we'll have a customer present us with a "bill" from a company called Domain Registry of America.  These "bills" aren't really bills, because they are specifically sent to people who aren't customers!  It's an attempt to get customers to transfer their domain name to DRA.  The problem is that they're deceptive in that effort.

Register.com got an injunction against DRA in 2002.  The judge in that case noted that the principals of the company had previously been convicted of other unlawful activities and noted that their tactics were "neither accidental nor innocuous, but calculated and intended to confuse and mislead consumers."

There is even a name for this sort of practice - domain slamming, much like the practice of phone companies switching you to their service without the consumer even understanding what they've agreed to.

There is a picture of their fake "bills" here.  If you get one, the best thing you can do is throw it away!

Posted by jdevries with 6 comment(s)