Maximum tolerance for computer clock synchronization

This security setting determines the maximum time difference (in minutes) that Kerberos V5 tolerates between the time on the client clock and the time on the domain controller running Windows Server 2003 that provides Kerberos authentication.

To prevent "replay attacks," Kerberos V5 uses time stamps as part of its protocol definition. For time stamps to work properly, the clocks of the client and the domain controller need to be in sync as much as possible. In other words, both computers must be set to the same time and date. Because the clocks of two computers are often out of sync, administrators can use this policy to establish the maximum acceptable difference to Kerberos V5 between a client clock and domain controller clock. If the difference between a client clock and the domain controller clock is less than the maximum time difference that is specified in this policy, any time stamp that is used in a session between the two computers is considered to be authentic.


This setting is not persistent on pre Vista platforms. If you configure this setting and then restart the computer, this setting reverts to the default value.

Policy path: 

Computer Configuration\Windows Settings\Local Policies\Kerberos Policy


clients will get the new setting after a maximum of 8 hours but for DCs to assign these new settings a Gpupdate /force is required or waiting for the usual 5 minutes when the SCE engine assigns all modified settings.


5 minutes.

Supported on: 

At least Windows XP SP2, Windows Server 2003

Registry settings: 

Kerberos Policy security settings are not registry keys.

Reboot required: 


Related content