IT Error Decoder
Windows Admin

How to Fix Clock skew too great (Kerberos)

Error message

KRB_AP_ERR_SKEW: Clock skew too great. The difference between the client and server time is too large.

If you're seeing "Clock skew too great (Kerberos)", you're not alone. Here's what it means, why it happens, and the steps to resolve it.

What this error means

Kerberos rejected the ticket because the client's and the domain controller's clocks differ by more than the allowed window (default 5 minutes).

Why this happens

Time service stopped, clock drifted on a VM, NTP source is wrong, or a Hyper-V time-sync integration is fighting with NTP.

Step-by-step fix

  1. On the affected machine, check the current time and time source.

    command
    w32tm /query /status

  2. Force a resync.

    command
    w32tm /resync /force

  3. If the source is wrong, set it to the domain hierarchy.

    command
    w32tm /config /syncfromflags:domhier /update
Restart-Service w32time

  4. On a virtual machine, decide whether host time-sync or NTP wins. Don't run both. On Hyper-V you can disable the Time Synchronization integration component.

Affected products

Windows Admin

Still broken? Try these

  • On the PDC emulator, ensure the authoritative external NTP source is reachable.
  • Check Event Viewer → System for `Time-Service` events around the failure time.
  • Verify domain Group Policy isn't pushing a conflicting NTP configuration.

Related errors

Frequently asked questions

What does "Clock skew too great (Kerberos)" mean?

Kerberos rejected the ticket because the client's and the domain controller's clocks differ by more than the allowed window (default 5 minutes).

What causes "Clock skew too great (Kerberos)"?

Time service stopped, clock drifted on a VM, NTP source is wrong, or a Hyper-V time-sync integration is fighting with NTP.

How do I fix "Clock skew too great (Kerberos)"?

1. On the affected machine, check the current time and time source. 2. Force a resync. 3. If the source is wrong, set it to the domain hierarchy. 4. On a virtual machine, decide whether host time-sync or NTP wins. Don't run both. On Hyper-V you can disable the Time Synchronization integration component. Always test changes in a non-production environment first.

Browse more errors in Windows Admin: Fix Windows administration errors. Access denied, RPC server unavailable, trust relationship failures, Group Policy errors, and network path issues. Or paste your own error into the error decoder tool to find a match. You can also go back to the homepage to browse common errors by topic.