Active Directory MaxTokenSize
MaxTokenSize of Windows 2000 is 8000 bytes, Windows 2003/2008 is 12000 bytes and Windows Server 2012 - 48000 bytes.
User token size can be calculated using the below power shell script and formula
Script: http://gallery.technet.microsoft.com/scriptcenter/Check-for-MaxTokenSize-520e51e5
TokenSize = 1200 + 40d + 8s
This formula uses the following values:
d: The number of domain local groups a user is a member of plus the number of universal groups outside the user's account domain that the user is a member of plus
the number of groups represented in security ID (SID) history.
s: The number of security global groups that a user is a member of plus the number of universal groups in a user's account domain that the user is a member of.
1200: The estimated value for ticket overhead. This value can vary, depending on factors such as DNS domain name length, client name, and other factors.
By default user belongs to 900 groups. The hard limit is 1,015 groups a user can be a member of. Inorder to have user more than 900 groups modify the registry value
in workstation as follows,
Start Registry Editor (Regedt32.exe).
Locate and click the following key in the registry:
System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
If this key is not present, create the key. To do so:
Click the following key in the registry:
System\CurrentControlSet\Control\Lsa\Kerberos
On the Edit menu, click Add Key.
Create a Parameters key.
Click the new Parameters key.
On the Edit menu, click Add Value, and then add the following registry value:
Value name: MaxTokenSize
Data type: REG_DWORD
Radix: Decimal
Value data: 48000
Quit Registry Editor.
Symptoms due to the Tokens Size:
New resolution for problems with Kerberos authentication when users belong to many groups
"HTTP 400 - Bad Request (Request Header too long)" error in Internet Information Services (IIS)
Users who are members of more than 1,015 groups may fail logon authentication
Group Policy may not be applied to users belonging to many groups
Internet Explorer Kerberos authentication does not work because of an insufficient buffer connecting to IIS
Buffer overflow exploit possible with extended stored procedures
"HTTP 400 - Bad Request (Request Header too long)" error in Internet Information Services (IIS)
Ref: http://support.microsoft.com/kb/327825
User token size can be calculated using the below power shell script and formula
Script: http://gallery.technet.microsoft.com/scriptcenter/Check-for-MaxTokenSize-520e51e5
TokenSize = 1200 + 40d + 8s
This formula uses the following values:
d: The number of domain local groups a user is a member of plus the number of universal groups outside the user's account domain that the user is a member of plus
the number of groups represented in security ID (SID) history.
s: The number of security global groups that a user is a member of plus the number of universal groups in a user's account domain that the user is a member of.
1200: The estimated value for ticket overhead. This value can vary, depending on factors such as DNS domain name length, client name, and other factors.
By default user belongs to 900 groups. The hard limit is 1,015 groups a user can be a member of. Inorder to have user more than 900 groups modify the registry value
in workstation as follows,
Start Registry Editor (Regedt32.exe).
Locate and click the following key in the registry:
System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
If this key is not present, create the key. To do so:
Click the following key in the registry:
System\CurrentControlSet\Control\Lsa\Kerberos
On the Edit menu, click Add Key.
Create a Parameters key.
Click the new Parameters key.
On the Edit menu, click Add Value, and then add the following registry value:
Value name: MaxTokenSize
Data type: REG_DWORD
Radix: Decimal
Value data: 48000
Quit Registry Editor.
Symptoms due to the Tokens Size:
New resolution for problems with Kerberos authentication when users belong to many groups
"HTTP 400 - Bad Request (Request Header too long)" error in Internet Information Services (IIS)
Users who are members of more than 1,015 groups may fail logon authentication
Group Policy may not be applied to users belonging to many groups
Internet Explorer Kerberos authentication does not work because of an insufficient buffer connecting to IIS
Buffer overflow exploit possible with extended stored procedures
"HTTP 400 - Bad Request (Request Header too long)" error in Internet Information Services (IIS)
Ref: http://support.microsoft.com/kb/327825
No comments:
Post a Comment