Kerberos error in long running Exchange powershell skript after 10 hours

I think you are hitting the domain security policy (group policy object - GPO) => security settings/account policy/Kerberos policy restriction.

The two valid options for you are:

Maximum lifetime for user ticket => the default value is 10 hours

Maximum lifetime for user ticket renewal => the default value is 7 days (this is the period within which the ticket can be renewed).

• Is there a way to keep the Kerberos ticket from expiring or renew it?

For the first questions you "just" need to adjust the maximum lifetime for user ticket setting to value as you deem appropriate.

The second one is more tricky. I would just purge all kerberos tickets via the powershell. For more - viewing and purging cached kerberos tickets which would get you a new one.

If the ticket can be renewed you have to check the RENEABLE flag - you wan view it via kinit. Perhaps kinit -R could be enough for ticket renewal. (I did not do this my self) You could also renew it via kerberos for windows

Edit -- adding klist purge to purge all Kerberos tickets so it can be renewed.

As you have klist then you can purge all tickets via must be run in elevated powershell prompt(all credits to JaredPoeppelman):

Get-WmiObject Win32_LogonSession | Where-Object {$_.AuthenticationPackage -ne 'NTLM'} | ForEach-Object {klist.exe purge -li ([Convert]::ToString($_.LogonId, 16))}  

Then check if your TGT was updated via:

klist tgt

Note: you must use FQDN name everywhere!

Thanks for your suggestion. In a first try I will extend my code as follows and try to reestblisch a new Exchange connection. Needs 10 h runnig the script in order to see if this works.

I am not able to influence the domain security Policy, additionally as I do not know how long the script runs, it will be difficult to set a value.

On my Windows 2016 the command "kinit" ist not recognized. Possibly I need to install additional modules/roles.

...                 $TryCount = 0$Done = $falsedo{    # It takes a while after enabling mailbox until settings can be applied. So we need to retry.    try{        # If we need to execute a setting several times.        if ($MailboxSetting.LoopOver){            # We have a loop value (array).            foreach ($LoopValue in $MailboxSetting.LoopOver){                # Copy parameter as we have to change a value (loop value).                $TempParams = $Params.PsObject.Copy()                                               @($Params.getenumerator()) |? {$_.Value -match '#LOOPVALUE#'} |% {$TempParams[$_.Key]=$LoopValue}                 $res = & $MailboxSetting.Command -ErrorAction Stop @TempParams -WhatIf:$RunConfig.TestMode            }        } else {            $res = & $MailboxSetting.Command -ErrorAction Stop @Params -WhatIf:$RunConfig.TestMode        }        # Write-Log "Setting command $($MailboxSetting.Command) executed successfully"        $Done = $true    } catch{        $tryCount++        $res = Write-Error -err $error -msg "Error applying mailbox settings, account: $($AccountDetails.sAMAccountName), retry count: $($TryCount)" -Break $false        Start-Sleep -s $(($Retires-$TryCount) * 5)        try{            # We may have lost the Kerberos ticket, reconnect to Exchange.            $ConnectionType = $ExchangeSessionInfo.Type            Disconnect-Exchange            Connect-Exchange -TargetExchange $ConnectionType        } catch {}              } } while ((!$done) -and ($tryCount -lt $Retires))...