When Active Directory is in use, there are a number of built-in protections to ensure time consistency for Windows Servers. One aspect of Active Directory is the automatic time synchronization that comes with joining a domain. Within Group Policy, there is an option to enforce a tolerance for time synchronization for Kerberos authentication. Kerberos is the authentication protocol between Windows systems that utilizes system times to validate authentication.The default tolerance for time differences is five minutes with Active Directory for Windows Server 2008 R2; the Maximum Tolerance For Computer Clock Synchronization value in Group Policy can tighten this window in units of minutes if required. This value is located in Computer Configuration | Policies | Windows Settings | Security Settings | Account Policies | Kerberos Policy (Figure A). Tightening the tolerance of this value is designed to protect against replay attacks, which are conditions that offset times can lead to duplication of false positive transactions. Figure A
Click the image to enlarge.
This configuration value in Group Policy is not designed for a "highly accurate" tolerance enforcement mechanism, though it may be a "good enough" approach. For most Windows Server installations, if there is concern about a replay attack, I recommend tightening the window of time for this tolerance mechanism and then increasing the frequency of time synchronization attempts through Group Policy.
Have you addressed time tolerance issues with Kerberos in Active Directory? If so, share your experiences in the discussion.
Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.