One thing that Apple seems to have down pat in their documentation and troubleshooting methodologies in courseware is that if you have a problem with Kerberos clients, one of the first things to check is that the clock is at less than a 5 minute skew. However, I don’t really remember seeing this come up in any of my Active Directory certification exams (or the books for that matter). Therefore, it was no surprise that when a Windows client couldn’t authenticate to an Active Directory environment that no one thought to check the clock skew… But it’s worth keeping in mind that you should as it is occasionally the fix to a problem.
The skew in Windows is actually customized using the Maximum tolerance for computer clock synchronization Kerberos policy. If you cannot change the time on the client (ie – you don’t have a local account)… Unique circumstance, but if it didn’t happen it likely wouldn’t end up here…