Duo for Windows Login 4.1.1 - Time drift issue

Icebun · ‎07-31-2020

We have noticed that some users have not been able to get past the Duo Authentication screen after the Windows GINA.

This has been due to time drifting on the endpoints preventing secondary authentication to work.

Luckily we are able to get to the command prompt remotely and issue the time command to set the clock with the right time.

Most times the solution seems to be setting up a Domain Controller as an NTP server and the laptops set up as NTP clients via Group Policy.

This will work where the laptop has VPN capabilities.

However not every laptop user has this feature and everyone is currently WFH.

Can I ask how others have tackled the time sync issue please?

DuoKristina · ‎07-31-2020

Have you tried explicitly configuring the time policy using Microsoft’s public NTP time.windows.com?

Duo, not DUO.

Icebun · ‎08-03-2020

Thanks for the suggestion.

Yes I am toying with the idea of pointing all nodes to the Internet site from Microsoft or use set our DC as the NTP source of authority with our endpoints syncing with this Domain Controller.

Looks like both ways are just as valid unless someone tells me different.

bryan.doe · ‎08-07-2020

I ran into this a lot starting with Windows 10 version 1903. A number of users had problems with Duo due to the time drift. I eventually set all of the laptops to sync time using NTP to pool.ntp.org, and set the domain controllers the same. This keeps the laptops synced with the domain controllers (that’s important!) but also keeps things working.