Knowledge Base Help Center
How do I resolve the error “Bad request timestamp” when using Duo Authentication for Windows Logon?
Please ensure that the system time where Duo is installed is properly synced with NTP time and the time zone is set correctly.
If the server that is prompting this error message is a virtual machine (VM), please ensure that the VM server’s (the host machine) time is also synced with the correct time.
If you don’t have access to the server in order to confirm the system time, please try the following:
- Log in to the Duo Admin Panel and see if you can find the failed authentication attempt in the Authentication Logs.
- If you do see it, this indicates your Windows Server has connectivity to Duo’s cloud service. If this is the case, put the user in bypass status and try logging in again.
- If the authentication attempt is not appearing in the Authentication Logs, it is possible your Windows Server does not have connectivity to Duo’s cloud service.
- You could modify the registry configuration with safe mode, remote registry or alternatively push an update to that Windows Server via GPO to tell it to FailOpen and ensure the system is not able to reach the Duo cloud to regain access.
- Please note that if the system time is wrong, the FailOpen setting will not work if the Windows machine is still able to reach out to Duo Cloud. You will need to ensure the machine is not able to reach the Duo Cloud for the FailOpen setting to work.
- If you have physical access to the Windows Server, try booting into safe mode and uninstalling Duo Authentication for Windows Logon.
- Ensure that your NTP server is serving UTC (Coordinated Univeral Time). NTP servers, by design, are generally configured to serve only UTC time. All timezone and offsets, such as BST, are meant to be adjusted by the clients and not by the NTP server.
- Ensure you sync the endpoint system time with the NTP server after making changes.
After you have regained access to the server, you can prevent future time sync issues by ensuring your time is configured properly. The maximum accepted time offset between your servers and Duo is 60 seconds.
Please see the following Microsoft documentation pages for more information:
- Windows Time service tools and settings
- How to configure an authoritative time server in Windows Server
The Duo client for Windows Logon and RDP gets the time for the timestamp as UTC from Windows via the GetSystemTime API. If Microsoft has not updated its timezone definitions, the calculation of UTC may not be correct. Ensure you regularly run Windows updates to get the latest timezone definitions.
For more information or help troubleshooting, see our Duo Authentication for Windows Logon and RDP troubleshooting documentation or more related Windows Logon Knowledge Base articles.
Related articles pertaining to Windows Logon Offline Access: