You can find this entry in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters subkey. On each of these computers, set the MaxTokenSize registry entry to a larger value. ![]() Before you modify it, back up the registry for restoration, in case problems occur. Serious problems might occur if you modify the registry incorrectly. Additionally, Windows may not be able to apply Group Policy settings for the user. ![]() The user cannot authenticate and may receive an out of memory message. Generally, if the user belongs to more than 120 universal groups, the default MaxTokenSize value does not create a large enough buffer to hold the information. Windows Server 2012 and later versions, and Windows 8 and later versions: 48,000 bytes.Windows Server 2008 R2 and earlier versions, and Windows 7 and earlier versions: 12,000 bytes.MaxTokenSize has the following default value, depending on the version of Windows that builds the token: Transport protocols such as remote procedure call (RPC) and HTTP rely on the MaxTokenSize value when they allocate buffers for authentication operations. The token has a fixed maximum size ( MaxTokenSize). If the user is a member of a large number of groups, and if there are many claims for the user or the device that is being used, these fields can occupy lots of spaces in the ticket. Starting with Windows Server 2012, Kerberos also stores the token in the Active Directory Claims information (Dynamic Access Control) data structure in the Kerberos ticket. Kerberos stores this token in the Privilege Attribute Certificate (PAC) data structure in the Kerberos Ticket-Getting Ticket (TGT). It also includes any SIDs that are stored in the user account's sIDHistory attribute. This token (also called an authorization context) includes the security identifiers (SID) of the user, and the SIDs of all of the groups that the user belongs to. The user cannot authenticate because the ticket that Kerberos builds to represent the user is not large enough to contain all of the user's group memberships.Īs part of the Authentication Service Exchange, Windows builds a token to represent the user for purposes of authorization. For information about the currently supported versions of Windows, see Windows lifecycle fact sheet. This behavior occurs in any of the currently supported Windows versions. However, in such scenarios, Windows may not be able to update Group Policy settings. You may not see the Kerberos authentication problem unless you analyze the Windows behavior. Under similar conditions, Windows NTLM authentication works as expected.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |