FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
This article explains the reason why the correct NTP configuration is important when FortiAuthenticator wants to join Microsoft Active Directory.
Scope
FortiAuthenticator.
Solution
The 'time skew' or 'time synchronization' is a crucial aspect when joining a computer to an Active Directory (AD) domain, especially for Microsoft LDAP.
Microsoft LDAP will be mainly using Kerberos V5 which is highly sensitive to the timestamp. It is a part of the security to prevent a 'replay attack' and reject the authentication request if the timestamp is not within the tolerance value configured.
By default, Microsoft LDAP only accepts and tolerates a maximum of 5 minutes in differences. For more information, refer to the following link:
To avoid FortiAuthenticator failing to join Microsoft Active Directory, the clocks of the FortiAuthenticator and the domain controller need to be in sync as much as possible.
Note: NTP is also required for FortiToken Mobile as, by default, the tokens are time-based.
