How to Resolve Copilot Kerberos Ticket Expired Error on Domain PCs
🔍 WiseChecker

How to Resolve Copilot Kerberos Ticket Expired Error on Domain PCs

by

When using Copilot on a domain-joined Windows PC, you may see an error message stating that the Kerberos ticket has expired. This error typically occurs during a Copilot session when the underlying authentication token used by Microsoft 365 services is no longer valid. The root cause is that the Kerberos ticket granted by your domain controller has reached its maximum lifetime or has been revoked. This article explains why the Kerberos ticket expires, how to renew it, and what to do if the error persists after renewal.

Key Takeaways: Fixing the Copilot Kerberos Ticket Expired Error

  • Command Prompt > klist purge: Removes all cached Kerberos tickets and forces a fresh authentication request.
  • Command Prompt > klist -li 0x3e7 purge: Purges the machine account ticket when user-level tickets do not resolve the error.
  • Windows Settings > Accounts > Access work or school > Disconnect: Resets the Microsoft Entra ID or Azure AD connection that Copilot relies on.

ADVERTISEMENT

Why Copilot Shows a Kerberos Ticket Expired Error

Copilot uses the same authentication infrastructure as Microsoft 365 apps and services. On domain-joined PCs, this authentication often relies on Kerberos tickets issued by the on-premises Active Directory domain controller. When a user signs in to Windows with a domain account, the system caches a Ticket Granting Ticket that is valid for a specific period, typically 10 hours by default. Microsoft 365 services, including Copilot, request service tickets using this TGT. If the TGT expires or is invalidated for any reason, Copilot cannot obtain a valid service ticket and returns the expired Kerberos ticket error.

Several factors can trigger this error:

  • The user’s password was changed on the domain controller but the cached ticket was not refreshed.
  • The machine clock is out of sync with the domain controller by more than five minutes.
  • The Kerberos ticket lifetime policy in Active Directory was set to a short duration.
  • The user’s account was disabled or locked out on the domain controller.

The error is most common when a user has been logged into Windows for many hours or after a password reset. It can also appear if the PC was disconnected from the corporate network and then reconnected, causing the cached ticket to become stale.

Steps to Renew the Kerberos Ticket and Restore Copilot

The primary fix is to purge the expired Kerberos ticket and request a new one from the domain controller. Follow these steps in order. Stop after each method and test Copilot before moving to the next.

Method 1: Purge and Renew User Kerberos Tickets

  1. Open Command Prompt as an administrator
    Press the Windows key, type cmd, right-click Command Prompt, and select Run as administrator. Click Yes in the User Account Control prompt.
  2. List current Kerberos tickets
    Type klist and press Enter. This shows all cached tickets, including the TGT and any service tickets for Microsoft 365 endpoints such as login.microsoftonline.com or outlook.office365.com. Note the expiration times.
  3. Purge all cached tickets
    Type klist purge and press Enter. This removes all Kerberos tickets from the current logon session. You will see a confirmation message.
  4. Force a new ticket request
    Sign out of Windows by selecting Start > your account icon > Sign out. Sign back in with your domain credentials. The system automatically requests a fresh TGT from the domain controller.
  5. Test Copilot
    Open Copilot in Microsoft Edge or the Copilot app. Try a simple query such as “Summarize my last email.” If the error is gone, no further steps are needed.

Method 2: Purge Machine Account Tickets

  1. Open Command Prompt as an administrator
    Repeat the first step from Method 1.
  2. Purge the machine account ticket
    Type klist -li 0x3e7 purge and press Enter. The value 0x3e7 is the Local System account’s logon session ID. This clears the computer’s Kerberos ticket, which Copilot sometimes uses for background authentication.
  3. Restart the PC
    Click Start > Power > Restart. A full restart ensures the machine account re-authenticates with the domain controller.
  4. Test Copilot again
    Open Copilot and confirm the error no longer appears.

Method 3: Disconnect and Reconnect Microsoft Entra ID

  1. Open Windows Settings
    Press Windows key + I to open Settings.
  2. Navigate to Access work or school
    Go to Accounts > Access work or school. You will see your connected Microsoft Entra ID or Azure AD account.
  3. Disconnect the account
    Click the connected account, then click Disconnect. Confirm the action. This removes the cached authentication tokens that Copilot uses.
  4. Restart the PC
    Click Start > Power > Restart.
  5. Reconnect the account
    After the restart, go back to Accounts > Access work or school and click Connect. Sign in with your domain credentials. This forces a new Kerberos ticket and a fresh Microsoft Entra ID token.
  6. Test Copilot
    Open Copilot and verify the error is resolved.

ADVERTISEMENT

If Copilot Still Shows the Kerberos Error After the Main Fixes

Clock Skew Between the PC and Domain Controller

Kerberos requires the client and domain controller clocks to be within five minutes of each other. If the PC clock is off, Kerberos tickets are rejected. Check the PC time by right-clicking the clock in the taskbar and selecting Adjust date/time. Ensure Set time automatically is on. If the PC is still out of sync, run w32tm /resync in an elevated Command Prompt to force a time sync with the domain controller.

Password Changed but Not Reflected in Windows

If you changed your domain password on another device, the cached credentials on the PC may still hold the old password. Press Ctrl + Alt + Delete, select Change a password, and enter the new password. Then sign out and sign back in. This triggers a new Kerberos TGT with the updated password.

Group Policy Overrides on Ticket Lifetime

Some organizations enforce a short Kerberos ticket lifetime through Group Policy. If the error returns frequently, contact your IT administrator. They can check the Kerberos policy in Active Directory under Computer Configuration > Windows Settings > Security Settings > Account Policies > Kerberos Policy. The default maximum lifetime for a TGT is 10 hours. If it is set to a lower value, the policy may need adjustment.

Copilot Returns Generic Output Instead of Tenant-Specific Data

A stale Kerberos ticket can cause Copilot to fall back to generic responses because it cannot authenticate to your Microsoft 365 tenant. After purging tickets, if Copilot still returns generic answers, run klist -li 0x3e7 purge again and restart the Microsoft 365 Apps from the system tray. Right-click the Office icon in the notification area and select Exit, then reopen Copilot.

Item Standard Kerberos Ticket Renewal Copilot Kerberos Error Recovery
Description General process for refreshing Kerberos tickets on a domain PC Targeted steps to fix the Copilot-specific expired ticket error
Primary tool klist purge or logoff/logon klist purge, klist -li 0x3e7 purge, and Microsoft Entra ID reconnect
User interaction One command and sign-out Two command variants plus Settings navigation
When to use Any Kerberos-related app error Only when Copilot displays the ticket expired error

You can now resolve the Copilot Kerberos ticket expired error by purging cached tickets or reconnecting your Microsoft Entra ID account. Start with the klist purge command and sign-out, as this resolves the issue in most cases. If the error persists, use the machine account purge or the disconnect-reconnect method. To prevent recurrence, check your PC clock sync and ensure your domain password is current across all devices.

ADVERTISEMENT

← Back to WiseChecker HomeMore in Windows & PC

🔍 Recommended for You