Saturday, December 7, 2013

Active Directory MaxTokenSize

Active Directory MaxTokenSize

MaxTokenSize of Windows 2000 is 8000 bytes, Windows 2003/2008 is 12000 bytes and Windows Server 2012 - 48000 bytes.

User token size can be calculated using the below power shell script and formula

Script: http://gallery.technet.microsoft.com/scriptcenter/Check-for-MaxTokenSize-520e51e5

TokenSize = 1200 + 40d + 8s

This formula uses the following values:

    d: The number of domain local groups a user is a member of plus the number of universal groups outside the user's account domain that the user is a member of plus

the number of groups represented in security ID (SID) history.
    s: The number of security global groups that a user is a member of plus the number of universal groups in a user's account domain that the user is a member of.
    1200: The estimated value for ticket overhead. This value can vary, depending on factors such as DNS domain name length, client name, and other factors.


By default user belongs to  900 groups. The hard limit is 1,015 groups a user can be a member of. Inorder to have user more than  900 groups modify the registry value

in workstation as follows,


    Start Registry Editor (Regedt32.exe).

    Locate and click the following key in the registry:
    System\CurrentControlSet\Control\Lsa\Kerberos\Parameters

    If this key is not present, create the key. To do so:
        Click the following key in the registry:
        System\CurrentControlSet\Control\Lsa\Kerberos
        On the Edit menu, click Add Key.
        Create a Parameters key.
        Click the new Parameters key.

    On the Edit menu, click Add Value, and then add the following registry value:
    Value name: MaxTokenSize
    Data type: REG_DWORD
    Radix: Decimal
    Value data: 48000
    Quit Registry Editor.

Symptoms due to the Tokens Size:

New resolution for problems with Kerberos authentication when users belong to many groups
"HTTP 400 - Bad Request (Request Header too long)" error in Internet Information Services (IIS)
Users who are members of more than 1,015 groups may fail logon authentication
Group Policy may not be applied to users belonging to many groups
Internet Explorer Kerberos authentication does not work because of an insufficient buffer connecting to IIS
Buffer overflow exploit possible with extended stored procedures
"HTTP 400 - Bad Request (Request Header too long)" error in Internet Information Services (IIS)

Ref: http://support.microsoft.com/kb/327825

No comments:

Post a Comment

The blog is written to the share the knowledge mainly on Microsoft Exchange Server and other Microsoft product that experienced on day-to-day life.