This article describes behavior in which Kerberos tickets are issued even though the time difference between a client clock and a domain controller clock is greater than the "Maximum tolerance for computer clock synchronization" value.
For example, assume that you have configured the Maximum tolerance for computer clock synchronization Group Policy setting in a domain environment. A Windows Server 2003-based domain controller may issue a Kerberos ticket to a client computer even though the time difference between the client clock and the domain controller clock is more than the value that you configured for this Group policy setting.
Note The default value for the Maximum tolerance for computer clock synchronization setting is five minutes.
If a client computer sends a time stamp whose value differs from that of the server’s time stamp by more than the value that you configured in the Maximum tolerance for computer clock synchronization
setting, the domain controller returns a "KRB_AP_ERR_SKEW" error code in its response packet. In this packet, the domain controller also includes a time stamp of its own clock. When the client computer receives this packet, it uses the time stamp of the domain controller together with the value of the Maximum tolerance for computer clock synchronization
setting to calculate the valid time. Then, the client computer uses the valid time to retry the request. On this second try, the Kerberos ticket is issued to the client computer.
This behavior is documented in Request for Comments (RFC) 4430, "Kerberized Internet Negotiation of Keys (KINK)." To see RFC 4430, visit the following Request for Comments Web site:
Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.
If the clock of the client computer is faster than the clock time of the domain controller plus the lifetime of Kerberos ticket, the Kerberos ticket is invalid. In this scenario, the logon fails.
By default, the lifetime of a Kerberos ticket is 10 hours (600 minutes). To modify the lifetime value, configure the following Group Policy settings:
- Computer Configuration/Windows Settings/Security Settings/Account Policies/Kerberos Policy/Maximum Service Ticket Lifetime
- Computer Configuration/Windows Settings/Security Settings/Account Policies/Kerberos Policy/Maximum User Ticket Lifetime
For more information about the Maximum tolerance for computer clock synchronization
Group Policy setting, visit the following Microsoft Web site: