Synchronize Time Between AD Bridge and the Domain Controller

For the AD Bridge agent to communicate over Kerberos with the domain controller, the clock of the client must be within the domain controller's maximum clock skew, which is 300 seconds, or 5 minutes, by default.

The clock skew tolerance is a server-side setting. When a client communicates with a domain controller, it is the domain controller's Kerberos key distribution center that determines the maximum clock skew. Since changing the maximum clock skew in a client's krb5.conf file does not affect the clock skew tolerance of the domain controller, the change does not allow a client outside the domain controller's tolerance to communicate with it.

The clock skew value that is set in the /etc/pbis/krb5.conf file of Linux or Unix computers is useful only when the computer functions as a server for other clients. In such cases, you can use an AD Bridge Group Policy setting to change the maximum tolerance.

The domain controller uses the clock skew tolerance to prevent replay attacks by keeping track of every authentication request within the maximum clock skew. Authentication requests outside the maximum clock skew are discarded. When the server receives an authentication request within the clock skew, it checks the replay cache to make sure the request is not a replay attack.

For more information, see the MIT article Clock Skew.