Low severityauthentication
Power BI Error:
AADSTS81009
What does this error mean?
Azure AD / Entra ID rejects the Kerberos ticket sent by Seamless SSO because the Authorization header is malformed or the ticket is invalid.
Common causes
- 1Kerberos ticket for the AZUREADSSOACC computer account is encrypted with an outdated password (decryption key rotated but not re-synced to on-prem AD)
- 2Client falls back to NTLM instead of Kerberos because the Azure AD URLs (autologon.microsoftazuread-sso.com) are not in the browser's Intranet/Trusted Sites zone
- 3Multiple AZUREADSSOACC accounts exist in on-prem AD after a forest re-onboarding, causing ticket/key mismatches
- 4Time skew >5 minutes between the client, the on-prem domain controller, and Azure AD
- 5User signs in from a non-domain-joined device or over a network where Kerberos to the on-prem KDC is unreachable (no line-of-sight to a DC)
How to fix it
- 1Roll the Kerberos decryption key of the AZUREADSSOACC$ computer account: on the Azure AD Connect server run `Update-AzureADSSOForest` from the `AzureADSSO.psm1` module — this resyncs the password between on-prem AD and Azure AD / Entra ID
- 2Verify only ONE AZUREADSSOACC computer object exists per forest (`Get-ADComputer -Filter "Name -eq 'AZUREADSSOACC'"`); delete duplicates left over from previous Seamless SSO enablements
- 3Push the Intranet Zone policy via GPO so `https://autologon.microsoftazuread-sso.com` is in the Local Intranet zone and 'Automatic logon only in Intranet zone' is enabled — without this the browser sends NTLM and the header is rejected
- 4Confirm time sync: client, DC, and Azure AD Connect server must be within 5 minutes (`w32tm /query /status`)
- 5Reproduce with Fiddler/network trace and inspect the `Authorization: Negotiate` header — if it starts with `TlRMTVNT` (NTLM) instead of `YII` (Kerberos), the issue is client-side zone configuration, not the AZUREADSSOACC key