When attempting to join or rejoin a Windows domain on the ProxySG / ASG, you receive the error message ERROR_GEN_FAILURE.

The clock skew is too great so authentication fails.

This can be confirmed by taking an LSA Debug log as per this article, and searching for the following error message after a join attempt:

TRACE: lwio - [smb_display_status_1() smbkrb5.c:878] GSS-API error calling gss_init_sec_context: -1765328236 (Clock skew too great in KDC reply)

1. Take a packet capture on the proxy with the filter port 88 from Maintenance > Service Information > Packet Captures while trying to join the Windows domain
2. Identify the domain controller the proxy has negotiated Kerberos with
3. Add this domain controller as the primary NTP server on the proxy under Configuration > General > Clock > NTP (promote it to number one in the list)
4. Click Acquire UTC time on the Clock tab
5. Join the Windows domain