To ensure tickets expire correctly. -the actual verification of a clients identity is done by validating an authenticator. the authenticator contains the clients identity and a timestamp. to insure that the authenticator is up-to-date and is not an old one that has been captured by an attacker, the timestamp in the authenticator is checked against the current time. if the timestamp is not close enough to the current time (typically within five minutes) then the authenticator is rejected as invalid. thus, kerberos requires your system clocks to be loosely synchronized (the default is 5 minutes, but it can be adjusted in version 5 to be whatever you want).