Microsoft KB Archive/280830

= Kerberos Authentication May Not Work If User Is a Member of Many Groups =

PSS ID Number: 280830

Article Last Modified on 9/18/2003

-

The information in this article applies to:


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional

-



This article was previously published under Q280830



IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry



SYMPTOMS
If a user is a member of many groups either directly or because of group nesting, Kerberos authentication may not work. The Group Policy object (GPO) may not be applied to the user and the user may not be validated to use network resources.

If the Administrator is a member of more than 70 to 80 groups there may be 2 additional symptoms:
 * When logging into a DC, an event id 1000 will be generated in the system log.
 * Running DC promo to bring up a new DC will result in &quot;Access Denied&quot; when entering the domain admin credentials.

If the user has an associated logon script, the script may fail with one of the following error messages:

Not enough storage is available to complete this operation.

Hexadecimal values: 800a0007, 8007000e

Decimal values: -2146828281, -2147024882



CAUSE
The Kerberos token has a fixed size. If a user is a member of a group either directly or by membership in another group, the security ID (SID) for that group is added to the user's token. For a SID to be added to the user's token, it must be communicated by using the Kerberos token. If the required SID information exceeds the size of the token, authentication does not succeed. The number of groups varies, but the limit is approximately 70 to 80 groups.

For many operations, Windows NTLM authentication succeeds; the Kerberos authentication problem may not be evident without analysis. However, operations that include GPO application do not work at all.



RESOLUTION
A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Apply it only to computers that are experiencing this specific problem. This fix may receive additional testing. Therefore, if you are not severely affected by this problem, Microsoft recommends that you wait for the next Windows 2000 service pack that contains this fix.

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS

NOTE: In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The typical support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

The English version of this fix should have the following file attributes or later:   Date        Time    Version        Size     File name 10/20/2000 09:52a  5.0.2195.2530  206,896  Kerberos.dll 10/19/2000 03:04p  5.0.2195.2531   69,456  Ksecdd.sys Note that you must use a registry parameter that is available with this hotfix to increase the Kerberos token size. See the &quot;More Information&quot; section of this article for additional information.

This fix should be implemented on every computer in the enterprise. The value for MaxTokenSize should be identical on each computer. A client utilizes this parameter for Internet Explorer Wininet operations requiring Kerberos authentication to an IIS system. Also, the value is utilized to set the size of a Kerberos token utilized by clients, servers and domain controllers.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.



MORE INFORMATION
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

A registry parameter is available after you apply this hotfix that you can use to increase the Kerberos token size. For example, increasing the token size to 100 KB allows a user to be present in more than 900 groups. Because of the associated SID information, this number may vary.

To use this parameter:  Start Registry Editor (Regedt32.exe). Locate and click the following key in the registry:

Note If this key is not present, create the key. To do so:  Click the following key in the registry:

 On the Edit menu, click Add Key.</li> In the Key Name box, type Parameters, and then click OK. You can leave the Class box empty.</li> Click the new  key to select it.</li></ol> </li> On the Edit menu, click Add Value, and then add the following registry value:

Value name: MaxTokenSize Data type: REG_DWORD Radix: Decimal Value data: 100000

</li> Quit Registry Editor.</li></ol>

The default value for MaxTokenSize is 12000 decimal. Microsoft recommends that you set this value to 100000 decimal, 186a0 hexadecimal. If you set this value incorrectly to 100000 hexadecimal (an extremely large value) Kerberos authentication operations may fail, and programs may return errors. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

297869 SMS: SMS Administrator Issues After You Modify the Kerberos MaxTokenSize Registry Value

After you set the value and the computer is updated, restart the computer. Although you must update the domain controllers individually, you can use Group Policy settings to set this value for client computers that have also been updated. You must update and configure servers in the domain with this registry modification.For additional information about this registry value, click the article number below to view the article in the Microsoft Knowledge Base:

313661 FIX: Error Message: 'Timeout Expired' Occurs When You Connect to SQL Server over TCP/IP and the Kerberos MaxTokenSize Is Greater Than 0xFFFF

300367 DCOM Client May Put Memory on the Wire

For additional information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the article number below to view the article in the Microsoft Knowledge Base:

249149 Installing Microsoft Windows 2000 and Windows 2000 Hotfixes

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

277741 Internet Explorer Logon Fails Due to an Insufficient Buffer for Kerberos

Keywords: kbbug kbfix kbQFE kbWin2000PreSP2Fix KB280830

Technology: kbwin2000AdvServ kbwin2000AdvServSearch kbwin2000Pro kbwin2000ProSearch kbwin2000Search kbwin2000Serv kbwin2000ServSearch kbWinAdvServSearch

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© 2004 Microsoft Corporation. All rights reserved.