During a routine health check you discover that users can no longer authenticate to a Windows Server 2019 web application that relies on Kerberos. The System log on the server shows the following entry:
Event ID 4, Source Kerberos "The Kerberos client received a KRB_AP_ERR_SKEW error. The time on the client and server machines might be out of sync."
Network connectivity and DNS resolution to the domain controllers are normal.
Which action will MOST quickly restore user access while following best practices?
Disjoin the computer from the domain, then rejoin it to rebuild the secure channel.
Increase the "Maximum tolerance for computer clock synchronization" Kerberos policy from 5 to 30 minutes.
Resynchronize the server clock with a reliable NTP source and restart or resync the Windows Time (w32time) service.
Purge the local Kerberos ticket cache with the klist utility and reboot the server.
KRB_AP_ERR_SKEW is recorded when the timestamp in a Kerberos ticket differs from the server's clock by more than the maximum tolerance (5 minutes by default). Because authentication fails until the clocks agree, the fastest and proper fix is to bring the server's system time back into sync-typically by forcing an immediate NTP resynchronization and restarting or resyncing the Windows Time service. Purging the ticket cache will only obtain new tickets that will still be invalid if the clock is wrong. Expanding the allowed skew weakens security and still requires policy refresh and replication before it takes effect. Disjoining and rejoining the domain is time-consuming and does not address the underlying time problem.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is NTP and why is it important for servers?
Open an interactive chat with Bash
How does Kerberos use timestamps for authentication?
Open an interactive chat with Bash
What is the Windows Time (w32time) service and how does it ensure time synchronization?