WinSecWiki > Security Settings > Account Policies > Kerberos Policy > Clock Sync

Maximum Tolerance For Computer Clock Synchronization

This setting determines how far out of sync the domain controller and member computer can be before Kerberos operations fail. To protect against replay attacks Kerberos uses timestamps that are verified against the system's current time which requires all clocks within trusted Kerberos realms (including Windows domains) to be closely synchronized.

Within an AD environment this synchronization happens automatically thanks to the Windows Time Service.

This setting default to 5 minutes.

If a computer is too far out of sync with the domain controller you will get Account Logon failure events in the security log with failure code 0x25.

Bottom line

Leave this at the default unless you have special circumstances requiring more tolerance due to poor time synchronization on your network.

Upcoming Webinars

Additional Resources

Kerberos Policy

•	Logon Restrictions
•	Service Ticket
•	User Ticket
•	Ticket Renewal
•	Clock Sync

User name:
Password:
	/ Forgot?
	Register

April 2024 Patch Tuesday	"Patch Tuesday - One Zero Day and Record Number of Patches! " - sponsored by LOGbinder

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.