PAM-CMN-5128 NTP not properly configured when trying to turn on cluster
search cancel

PAM-CMN-5128 NTP not properly configured when trying to turn on cluster

book

Article ID: 102387

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager (PAM)

Issue/Introduction


NTP servers are configured following CA PAM documentation, but when trying to turn on the cluster, it fails with PAM reporting the following error for each cluster node:

PAM-CMN-5128: <cluster node address>: NTP not properly configured.

Why is this happening?

Environment

Applies to any PAM release

Cause

PAM can connect to the configured time servers, but they are rejected as valid NTP servers due to problems observed in the received NTP data. This could be large time offsets, large jitter values, or large root dispersion values. The latter would NOT be seen in the PAM UI, which at the bottom of its NTP Status page shows its own NTP statistics, not what is received from the configured NTP servers.

 

 

Resolution

If you configured Windows servers as NTP servers, make sure they are configured correctly to get the time from an authoritative time source. Within a domain the servers likely will synchronize their time with the Root Primary Domain Controller (Root PDC). Assuming that is the case, the Root PDC should be configured as discussed in this Microsoft document. Specifically check the Type and NtpServer settings in registry key HKLM\System\CurrentControlSet\Services\W32Time\Parameters. By default they would be set to Type=NT5DS and NtpServer=time.windows.com,0x8 (or 0x9). Change them according to the above document to use Type=NTP and known authoritative time sources as NTP servers:

 

In general we recommend the use of standard UNIX/Linux based NTP servers for configuration in PAM, if available in your environment.