Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy
Determines the maximum time difference (in minutes) that Kerberos will tolerate between the time on a client's clock and the time on a server's clock while still considering the two clocks synchronous.
In order to prevent "replay attacks," Kerberos uses timestamps as part of its protocol definition. For timestamps to work properly, the clocks of the client and the server need to be in synch as much as possible. In other words, both computers need to be set to the same time and date. Because the clocks of two computers are often out of synch, administrators can use this policy to establish the maximum acceptable difference to Kerberos between a client's clock and server's clock. If the difference between a client's clock and the server's clock is less than the maximum time difference specified in this policy, any timestamp used in a session between the two computers will be considered authentic.
By default, this value is set to 5 minutes in the Default Domain Group Policy object (GPO).