Tag Archives: TCP 123

VMware ESXi 6.5 – Setting up ESX Time Sync via Web Client

Posted on by
Reply

KB ID 0001274 

Another guest post from Daniel Newton

Problem

Now that we have the web console instead of the VI client, and don’t have a windows machine anymore, it would be better to use the web console.

Also, having your ESXi Server running the correct time/date is very important, before you follow this article I should suggest that by making sure the time is set in the ESX Servers BIOS, e.g. the internal clock is set correctly first!!! The amount of times that Windows Domains fail because the time had not been setup properly on the hosts and DC is more than you think! Last thing you want is a massive pain in the arse from your Boss!

Note: Due to the privacy of the customer, I have blurred out their information.

Solution

Note: For this to work the hosts need to be able to communicate with public time servers over NTP (UDP Port 123), ensure your firewall has this port open or time sync will fail.

Firstly, login into the ESX host itself and click on manage on the left-hand side.

Secondly, click on “Time and Date” and edit the settings.

Now, edit the boxes and dropdowns to look like the screenshot below (I am from the UK and typed in the NTP servers for my country, it will be different in other parts of the world) and then click save.

Now that we completed that, we have to start the service. So, go to Actions > NTP Service > Start.

After 30 seconds, you will have this message saying it has completed successfully.

 

Related Articles, References, Credits, or External Links

NA

Set Cisco ASA for Kerberos Authentication

Posted on by

KB ID 0000039

Problem

You want to set up a Cisco ASA to authenticate users (VPN access for example).

Solution

Kerberos can only be used as an authentication protocol on the ASA, so its fine for allowing VPN connections but not for assigning policies etc. To work both the ASA and the domain need to be showing accurate time.

Step 1: Set the ASA to get time from an External NTP Server

1. Log onto the ASA > Go to “Enable Mode” > Issue the following command;

[box]

User Access Verification

Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)# ntp server 130.88.212.143 source outside

[/box]

Note that’s a public time server in the UK (Manchester University) that I use. you may want to use another.

2. To check the ASA has synchronised issue the a ‘show ntp status‘ command,

[box]

If you see a message like the following, go and have a coffee.
Petes-ASA(config)# show ntp status
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is 00000000.00000000 (06:28:16.000 UTC Thu Feb 7 2036)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.00 msec, peer dispersion is 0.00 msec
What you are looking for is "Clock is Syncronized"
Petes-ASA(config)# show ntp status
Clock is synchronized, stratum 3, reference is 130.88.212.143
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is cdd7b741.119bcc72 (16:13:53.068 UTC Mon Jun 8 2009)
clock offset is 15.0836 msec, root delay is 56.50 msec
root dispersion is 15931.63 msec, peer dispersion is 15890.63 msec

[/box]

3. Save the update to your firewall with a “write mem” command.

[box]

User Access Verification

Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)# ntp server 130.88.212.143 source outside

[/box] Note that’s a public time server in the UK (Manchester University) that I use. you may want to use another.

2. To check the ASA has synchronised issue the a ‘show ntp status‘ command,

[box]

Petes-ASA(config)# write memory
Building configuration...
Cryptochecksum: aab5e5a2 c707770d f7350728 d9ac34de
[OK]
Petes-ASA(config)#

[/box]

Step 2 – Set the server(s) you are going to authenticate against to a public NTP Server.

Note TCP Port 123 needs to be open outbound for this to work 🙂

1. Log into the Server > Start > run > cmd {enter}

2. Issue the following four commands;

[box]

w32tm /config /manualpeerlist:ntp2d.mcc.ac.uk /syncfromflags:manual /reliable:yes /update {enter}
net stop "windows time" {enter}
net start "windows time" {enter}
W32TM /resync {enter}

[/box]

Step 3 – Set up the AAA Kerberos in ASDM

1. Log into the ASDM.

2. Configuration > Remote Access VPN > AAA/Local Users > AAA Server Groups (top Section) > Add

3. Give the Server group a name i.e. KerberosGroup > Change the protocol to “Kerberos” > OK.

4. Move to the bottom section of the page (Servers In the Selected Group) > Add.

5. Enter the IP Address of the Domain Controller providing Authentication > In the Realm section enter the “Domain Realm.”

Note: To Find out the REALM, on the domain controller issue the following command; [box] set USERDNSDOMAIN [/box]

Note: enter the Realm “IN CAPITALS

6. Click Apply  > File > “Save running configuration to flash”.

To set up from Kerberos AAA command line

[box]

Petes-ASA>
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)# aaa-server KerberosGroup protocol kerberos
Petes-ASA(config-aaa-server-group)# aaa-server KerberosGroup (inside) host 192.1.2.10
Petes-ASA(config-aaa-server-host)# kerberos-realm PETENETLIVE.COM
Petes-ASA(config-aaa-server-host)# exit
Petes-ASA(config)#

[/box]

Step 5 – Test Kerberos Authentication

1. Log into the ASDM.

2. Configuration > Remote Access VPN > AAA/Local Users > AAA Server Groups (top Section) > Select the Kerberos Group.

3. In the bottom section click Test.

4. Enter the username and password > OK.

5. It should say that the test was successful.

If It says “Error: Authentication Rejected: Clock skew greater than 300 Seconds” then steps 1 and 2 did not work.

Kerberos Pre-Authentication

Also Note: You may need to turn of “Require pre-authentication” on a user by user basis. If so, log onto the domain controller > Start > Run > dsa.msc > Locate the user > Right Click > Properties > account > Account options (scroll down) > Select “Do Not require Kerberos preauthentication”.

Related Articles, References, Credits, or External Links

Thanks to Zsolt Horvath at Cisco TAC Cisco ASA – Configuring for NTP