Active Directory MaxTokenSize


Active Directory MaxTokenSize

MaxTokenSize of Windows 2000 is 8000 bytes, Windows 2003/2008 is 12000 bytes and Windows Server 2012 – 48000 bytes.

User token size can be calculated using the below power shell script and formula

Script: http://gallery.technet.microsoft.com/scriptcenter/Check-for-MaxTokenSize-520e51e5

TokenSize = 1200 + 40d + 8s

This formula uses the following values:

    d: The number of domain local groups a user is a member of plus the number of universal groups outside the user’s account domain that the user is a member of plus

the number of groups represented in security ID (SID) history.
    s: The number of security global groups that a user is a member of plus the number of universal groups in a user’s account domain that the user is a member of.
    1200: The estimated value for ticket overhead. This value can vary, depending on factors such as DNS domain name length, client name, and other factors.

By default user belongs to  900 groups. The hard limit is 1,015 groups a user can be a member of. Inorder to have user more than  900 groups modify the registry value

in workstation as follows,

    Start Registry Editor (Regedt32.exe).

    Locate and click the following key in the registry:
    System\CurrentControlSet\Control\Lsa\Kerberos\Parameters

    If this key is not present, create the key. To do so:
        Click the following key in the registry:
        System\CurrentControlSet\Control\Lsa\Kerberos
        On the Edit menu, click Add Key.
        Create a Parameters key.
        Click the new Parameters key.

    On the Edit menu, click Add Value, and then add the following registry value:
    Value name: MaxTokenSize
    Data type: REG_DWORD
    Radix: Decimal
    Value data: 48000
    Quit Registry Editor.

Symptoms due to the Tokens Size:

New resolution for problems with Kerberos authentication when users belong to many groups
“HTTP 400 – Bad Request (Request Header too long)” error in Internet Information Services (IIS)
Users who are members of more than 1,015 groups may fail logon authentication
Group Policy may not be applied to users belonging to many groups
Internet Explorer Kerberos authentication does not work because of an insufficient buffer connecting to IIS
Buffer overflow exploit possible with extended stored procedures
“HTTP 400 – Bad Request (Request Header too long)” error in Internet Information Services (IIS)

Ref: http://support.microsoft.com/kb/327825

Advertisements

About Raji Subramanian

Nothing great to say about me...Just want to share my knowledge for others that will be useful at any moment of time when they stuck in critical issue....
This entry was posted in Uncategorized. Bookmark the permalink.

One Response to Active Directory MaxTokenSize

  1. Pingback: MaxTokenSize в Windows | Anton Tikhonov's blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s