PAM-CMN-5128 NTP not properly configured with condition reject
search cancel

PAM-CMN-5128 NTP not properly configured with condition reject

book

Article ID: 102387

calendar_today

Updated On: 04-08-2025

Products

CA Privileged Access Manager (PAM)

Issue/Introduction


NTP servers are configured following CA PAM documentation, but when trying to turn on the cluster, it fails with PAM reporting the following error for each cluster node:

PAM-CMN-5128: <cluster node address>: NTP not properly configured.

The Configuration > Date/Time > NTP Status shows the configured time servers with condition reject.

Cause

PAM can connect to the configured time servers, but they are rejected as valid NTP servers due to problems observed in the received NTP data. This could be large time offsets, large jitter values, or large root dispersion values. The latter would NOT be seen in the PAM UI, which at the bottom of its NTP Status page shows its own NTP statistics, not what is received from the configured NTP servers. In the example below PAM NTP statistics reflect that the configured NTP servers themselves are unsynchronized resulting in a stratum=16 status, because the NTP servers do not synchronize their clock with an authoritative time source but are used as local time references only. This is not good enough for PAM, which allows nodes from anywhere to join a cluster.

 

 

Resolution

If you configured Windows servers as NTP servers, make sure they are configured correctly to get the time from an authoritative time source. Within a domain the servers likely will synchronize their time with the Root Primary Domain Controller (Root PDC). Assuming that is the case, the Root PDC should be configured as discussed on Microsoft page Configure the Root PDC with an Authoritative Time Source and Avoid a Widespread Time Skew. Specifically check the Type and NtpServer settings in registry key HKLM\System\CurrentControlSet\Services\W32Time\Parameters. By default they would be set to Type=NT5DS and NtpServer=time.windows.com,0x8 (or 0x9). Change them according to the above document to use Type=NTP and known authoritative time sources as NTP servers:

 

In general we recommend the use of standard UNIX/Linux based NTP servers for configuration in PAM, if available in your environment.