Kerberos Policies and Time Zones

Giganews Newsgroups
Subject: Kerberos Policies and Time Zones
Posted by:  Trevor (Trev…@discussions.microsoft.com)
Date: Thu, 15 May 2008

Environment:
Win 2k3 SP1 Active Directory - 2003 Domain and Forest functional level
Windows XP clients

By default, the kerberos policy in a domain is set to require clients clocks
to be within 5 minutes of the clock of the domain controller.  My question is
how this would work with remote users - E.G.:

Our primary domain controllers are all located in the Central Time zone in
our Home Office, but we have users that will be working via a VPN tunnel
provided by Juniper hardware firewalls in other time zones in the United
States.  Because of the difference in time zones, won't clients be unable to
authenticate because the domain controller will see the client time as
greater than 5 minutes off due to the time zone difference?  Or does the
authentication take place using UTC time?  Any information on this is
appreciated.

Replies