The error appears if the time between the client and the server is not synchronized. Synchronize the time with the Domain Controller for this error to disappear. Logon errors appear if there is a time difference between the client and the Domain Controller.
As per M232386, if the client computer's time or date is not synchronized with the authenticating domain controller, Kerberos validation does not succeed. This occurs because of the variation in the time stamps between the AS_Req and AS_reply between the client and server. Because Kerberos is the only form of logon authentication between two Windows 2000-based computers, the logon does not succeed.
M297234 states that this behavior may occur if you install the Surf Control Enterprise User Monitor on the Domain Controller.
"Windows Time Service and Internet Communication", "How Windows Time Service Works", "Windows Time Service Tools and Settings", and "Keeping Time on your Windows NT Network" provide information on the time service and tips on how to have a synchronized time across your network.
Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.
Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.