Kerberos is a time sensitive authentication system. This is good. The time tolerance helps to prevent a replay attack. You can make this tolerance more or less stricter then the default of 5 minutes. Network packets for Kerberos authentication that have a time stamp within the tolerance value, as compared to the domain controllers clock, is considered valid.
For a local computer, you would open the local security policy.
For a domain joined computer, open a GPO that applies to the client.
For a Domain Controller, open the Default Domain Policy GPO.
Expand: Computer Configuration / Policies / Windows Settings / Security Settings / Account Policies
Open Maximum tolerance for computer clock synchronization
Check Define this policy setting.
Enter in the number of minutes you will allow clocks to be out of sync and click OK
For a local computer, you would open the local security policy.
For a domain joined computer, open a GPO that applies to the client.
For a Domain Controller, open the Default Domain Policy GPO.
Expand: Computer Configuration / Policies / Windows Settings / Security Settings / Account Policies
Open Maximum tolerance for computer clock synchronization
Check Define this policy setting.
Enter in the number of minutes you will allow clocks to be out of sync and click OK
Comments