Advanced Windows PowerShell Scripting Video Training

Advanced Windows PowerShell Scripting Video Training
Advanced Windows PowerShell Scripting Video Training

Monday, February 7, 2011

How to alter the Kerberos time synchronization tolerance

Kerberos is a time sensitive authentication system.  This is good.  The time tolerance helps to prevent a replay attack.  You can make this tolerance more or less stricter then the default of 5 minutes.  Network packets for Kerberos authentication that have a time stamp within the tolerance value, as compared to the domain controllers clock, is considered valid.

For a local computer, you would open the local security policy.

For a domain joined computer, open a GPO that applies to the client.

For a Domain Controller, open the Default Domain Policy GPO.

Expand: Computer Configuration / Policies / Windows Settings / Security Settings / Account Policies

Open Maximum tolerance for computer clock synchronization

image

Check Define this policy setting.

Enter in the number of minutes you will allow clocks to be out of sync and click OK

No comments: