The internal clocks of all hosts that participate in the Kerberos authentication system must be synchronized within a specified maximum amount of time. Known as clock skew, this feature provides another Kerberos security check. If the clock skew is exceeded between any of the participating hosts, requests are rejected.
One way to synchronize all the clocks is to use the Network Time Protocol (NTP) software. For more information, see Synchronizing Clocks Between KDCs and Kerberos Clients. Other ways of synchronizing the clocks can be used; however, some form of synchronization is required.