diff --git a/kdc/kaserver.c b/kdc/kaserver.c
index 5cfac8f2d..2f8a3ba7b 100644
--- a/kdc/kaserver.c
+++ b/kdc/kaserver.c
@@ -469,6 +469,11 @@ do_authenticate (struct rx_header *hdr,
     krb5_ret_int32 (reply_sp, &chal);
     krb5_storage_free (reply_sp);
 
+    if (abs(chal - kdc_time) > context->max_skew) {
+	make_error_reply (hdr, KACLOCKSKEW, reply);
+	goto out;
+    }
+
     /* life */
     max_life = end_time - kdc_time;
     if (client_entry->max_life)