Looking for some assistance...running into some odd behavior with authenticated NTP

NTP synchronization always fails when authenticated

Source: Cisco 4451 and 4331 routers are NTP sources (Running IOS XE 17.6 code)…pulling from public NTP (sync'd stratum 2 & 3)

Clients: Several Cisco 3850 switches (Running IOS XE 16.12/16.9 code)

When no authentication is enabled all devices sync to the two routers (4451 is the preferred)

When I enable ntp authentication nothing sync’s.  All the switches sit at .INIT

When I check show ntp associations detail they all show the following:

x.x.x.x configured, ipv4, authenticated (‘ ‘ reject), insane, invalid, unsynced, stratum 16

rec time xxxxxxxxxxx Mon Jan 1 1900

xmt time xxxxxxxxxxx Mon Jan 1 1900

A soon as I turn off ntp authentication, the switches instantly sync

Validated the ntp keys, cut-n-paste the keys from the same text file

Config Snippet:

Routers (NTP Source)

ntp authentication-key 1 md5 testkey1

ntp authenticate

ntp-trusted-key 1

ntp-server X.X.X.X (Public NTP servers)

ntp-server Y.Y.Y.Y (Public NTP servers)

Switches (NTP Clients)

ntp authentication-key 1 md5 testkey1

ntp authenticate

ntp-trusted-key 1

ntp-server 10.x.255.1 key 1 prefer (4451 loopback)

ntp-server 10.x.255.3 key 1 (4331 loopback)

When I debug on the switches I get the following message: 

NTP Core(INFO): 10.x.255.1 C01C 8C bad_auth no key (16.9 code)

Or

NTP Core(INFO): 10.x.255.1 C01C 8C bad_auth Invalid_NAK (16.12 code)

However I know the keys are there on the routers/switches, again a cut-n-paste from a text file...( I copied from one text editor to a different one in case I had some weird application issue)

Not using any NTP ACL's and the switches can all reach the router loopbacks.  No in-path ACL's blocking access to the routers..again NTP works in a non-authenticated mode.

So I’m wondering do I have bug on the sender (router side) or the receiver (switch side)?