Windows Server

Kerberos error: Clock skew too great while getting initial credentials

Kerberos error

Clock skew is a phenomenon in synchronous digital circuit systems in which the same sourced clock signal arrives at different components at different times. The instantaneous difference between the readings of any two clocks is called their skew”. For a similar error, see Unspecified GSS failure, minor code may provide more information Clock skew too great when Connecting to Hive Server. In this article, we shall discuss the steps to fix “Kerberos error: Clock skew too great while getting initial credentials”.

The screenshot below shows that the Ansible server is actually not in sync with the Domain controller (DC).

Clock skew

Fix Clock skew too great while getting initial credentials

This simply shows that devices are not in sync with the domain controller. The role responsible for this is the PDC Emulator. For more information on this, see FSMO roles.

The below shows the correct time set for the Ansible server

Initial credentials

The Domain controller has a great deviation in the time settings as shown below.

Clock synchronization

Fix for Clock skew too great while getting initial credentials

Set the right time on the Domain controller because Kerberos is time-sensitive.

  • On the Server Manager,
  • Select Local Server
  • This will open up the Date and Time window
  • Click on Change date and time.

For more details on post-operating system installation, see Windows Server Properties.

FAQs relating to System time

What are the security implications of “Clock skew too great” errors in Kerberos?

Clock skew errors in Kerberos are essential for security. They prevent replay attacks and protect the integrity of the authentication process. If the client’s clock is too far ahead of the KDC’s clock, an attacker could capture an authentication request and replay it in the future when the KDC would accept it, thereby allowing unauthorized access. By enforcing a time window for requests, Kerberos reduces this risk.

What does the “Clock skew too great” error in Kerberos mean?

As discussed already, the “Clock skew too great” error in Kerberos shows that there is a significant time difference between the client and the authentication server. Kerberos relies on synchronized clocks to function properly, and when the time difference exceeds a certain threshold (a few minutes). It considers the request invalid due to potential security risks as discussed above. This error is a security measure to prevent replay attacks.

I hope you found this blog post on “Kerberos error: Clock skew too great while getting initial credentials” helpful. Please let me know in the comment session if you have any questions.

Notify of

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x