We have a network where the time on some of the client workstations is inaccurate. There is a problem with NTP on the clients or domain controllers causing the time to not synchronize. We are working on that problem separately.
In the meantime, authentication requests on the domain via NTLM fail after a period of time when the clock drifts away from the domain controller and server's times. What is the threshold of clock accuracy needed for these requests to succeed? Do the clocks have to be accurate to 10 seconds of each other? 30 seconds? One minute?
EDIT: An answer that specifies NTLM does not rely on the correct time is incorrect. According Microsoft KB Article 976918: http://support.microsoft.com/kb/976918
Windows 7 and Windows Server 2008 R2 support Extended Protection for
Integrated Authentication which includes support for Channel Binding
Token (CBT) by default. […] You may experience one or more of the
following symptoms: […] NTLM authentication failures when there is a
time difference between the client and DC or workgroup server.
Best Answer
As far as I know, timestamps are not used in NTLM at all.
On the other hand, Kerberos (which is the primary authentication protocol in Active Directory), generally requires the clocks to be within a few minutes. Microsoft Windows has 5 minutes as the default
MaxClockSkew, as does MIT Kerberos.