For example, assume that you have configured the Maximum tolerance for computer clock synchronization Group Policy setting in a domain environment. A Windows Server 2003-based domain controller may issue a Kerberos ticket to a client computer even though the time difference between the client clock and the domain controller clock is more than the value that you configured for this Group policy setting.
Note The default value for the Maximum tolerance for computer clock synchronization setting is five minutes.
This behavior is documented in Request for Comments (RFC) 4430, "Kerberized Internet Negotiation of Keys (KINK)." To see RFC 4430, visit the following Request for Comments Web site:Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.
If the clock of the client computer is faster than the clock time of the domain controller plus the lifetime of Kerberos ticket, the Kerberos ticket is invalid. In this scenario, the logon fails.
By default, the lifetime of a Kerberos ticket is 10 hours (600 minutes). To modify the lifetime value, configure the following Group Policy settings:
- Computer Configuration/Windows Settings/Security Settings/Account Policies/Kerberos Policy/Maximum Service Ticket Lifetime
- Computer Configuration/Windows Settings/Security Settings/Account Policies/Kerberos Policy/Maximum User Ticket Lifetime
Article ID: 956627 - Last Review: Oct 22, 2008 - Revision: 1