Security

Configure Kerberos clock synchronization tolerance for Windows Servers

For Windows Servers, time-sensitive configurations may be a requirement. Rick Vanover describes a Group Policy configuration that enforces a time tolerance.

When Active Directory is in use, there are a number of built-in protections to ensure time consistency for Windows Servers. One aspect of Active Directory is the automatic time synchronization that comes with joining a domain. Within Group Policy, there is an option to enforce a tolerance for time synchronization for Kerberos authentication. Kerberos is the authentication protocol between Windows systems that utilizes system times to validate authentication.

The default tolerance for time differences is five minutes with Active Directory for Windows Server 2008 R2; the Maximum Tolerance For Computer Clock Synchronization value in Group Policy can tighten this window in units of minutes if required. This value is located in Computer Configuration | Policies | Windows Settings | Security Settings | Account Policies | Kerberos Policy (Figure A). Tightening the tolerance of this value is designed to protect against replay attacks, which are conditions that offset times can lead to duplication of false positive transactions. Figure A

Click the image to enlarge.

This configuration value in Group Policy is not designed for a "highly accurate" tolerance enforcement mechanism, though it may be a "good enough" approach. For most Windows Server installations, if there is concern about a replay attack, I recommend tightening the window of time for this tolerance mechanism and then increasing the frequency of time synchronization attempts through Group Policy.

Have you addressed time tolerance issues with Kerberos in Active Directory? If so, share your experiences in the discussion.

About

Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.

5 comments
crcgraphix
crcgraphix

here we have a innate exmpl of cat chases mouse, and then the proverbial cat is chase by extremely scary mouse. This is lke what you may ask..? Stereo-phonics vs. mono-phonics and dual-ethics systems vs. singular-ethics systems. U c , it not just liek a time portal but like the acutal creature inside it at the same tinem. bandwidth increase the possibilities for both cat and mouse ... or kerberos and clock. Lke the olde mouse ran up the clock song `ey`?

january
january

So do you need to apply this policy just to domain controllers, or all the computers in the domain?

m.ferro
m.ferro

How to increase the frequency of time synchronization attempts through Group Policy

priyo123
priyo123

why we must tighned, it can consume bandwidth if press to 2 minutes, CMIIW

rsimms
rsimms

The question doesn't quite make sense. Unless you are asking if the local policies need to be changed. Normally you would set the policy in Active Directory (Domain Controller) and it would propogate to all Domain computers.