NTP Server with Authentication on Windows System

Windows uses W32Time service. W32Time uses Simple Network Time Protocol (SNTP), a subset of NTP, for time synchronization.

Within an AD DS forest, the Windows Time service relies on standard domain security features to enforce the authentication of time data. The security of NTP packets that are sent between a domain member computer and a local domain controller that is acting as a time server is based on shared key authentication. The Windows Time service uses the computer’s Kerberos session key to create authenticated signatures on NTP packets that are sent across the network. NTP packets are not transmitted inside the Net Logon secure channel.

Instead, when a computer requests the time from a domain controller in the domain hierarchy, the Windows Time service requires that the time be authenticated. The domain controller then returns the required information in the form of a 64-bit value that has been authenticated with the session key from the Net Logon service. If the returned NTP packet is not signed with the computer’s session key or is signed incorrectly, the time is rejected. All such authentication failures are logged in the Event Log. In this way, the Windows Time service provides security for NTP data in an AD DS forest.

So in order to use authentication with Windows Time, you need Active Directory domain membership.

For more detail, please see below link.

https://technet.microsoft.com/en-us/library/cc773013%28WS.10%29.aspx