Microsoft KB Archive/269643

= Internet Explorer Kerberos authentication does not work because of an insufficient buffer connecting to IIS =

Article ID: 269643

Article Last Modified on 2/19/2007

-

APPLIES TO


 * Microsoft Internet Explorer 5.5 Service Pack 1
 * Microsoft Internet Explorer 5.01

-



This article was previously published under Q269643



Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry



SYMPTOMS
When you try to connect to a Microsoft Internet Information Server (IIS) computer that is configured to use Microsoft Windows 2000 authentication, you receive an Enter Network Password dialog box. When you try to log on, you may be prompted to provide your network credentials again, and after you do so, you may receive the following error message:

You are not authorized to view this page

You do not have permission to view this directory or page using the credentials you supplied.



CAUSE
This problem can occur even though the credentials you provide are valid and can be utilized to obtain access to the same computer through the Microsoft Windows NT Server service by using the net use command. However, the Wininet.dll file may not allocate a sufficient buffer for containing the user's Kerberos token. For example, this can occur if the user is a member of more than 100 groups.



RESOLUTION
To resolve this problem, use the appropriate method for your version of Internet Explorer.

Internet Explorer 5.5
To resolve this problem with Internet Explorer 5.5, obtain and install Internet Explorer 5.5 Service Pack 2 or later.

For additional information about how to obtain the latest service pack for Internet Explorer 5.5, click the following article number to view the article in the Microsoft Knowledge Base:

276369 How to obtain the latest service pack for Internet Explorer 5.5

Internet Explorer 5.01
To resolve this problem with Internet Explorer 5.01, obtain and install either Internet Explorer 5.01 Service Pack 2 or later or Microsoft Windows 2000 Service Pack 2 or later.

For additional information about how to obtain the latest service pack for Windows 2000 or Internet Explorer 5.01, click the following article numbers to view the articles in the Microsoft Knowledge Base:

260910 How to obtain the latest Windows 2000 service pack

267954 How to obtain the latest Internet Explorer 5.01 service pack

For additional information about how to resolve this problem with Internet Explorer 5.01 Service Pack 1, click the following article number to view the article in the Microsoft Knowledge Base:

277741 Internet Explorer logon fails due to an insufficient buffer for Kerberos



WORKAROUND
To work around this problem, reduce the number of groups that the user is a member of.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Internet Explorer version 5.01 Service Pack 2.



MORE INFORMATION
Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

This hotfix allows a larger number of groups to be supported. To increase the maximum token size after you install the hotfix, use the following steps:  Start Registry Editor (Regedt32.exe). Locate and then click the following key in the registry:

 On the Edit menu, click Add Key, and then add the following registry key:

Key name: Parameters

 On the Edit menu, click Add Value, and then add the following registry value:

Value name: MaxTokenSize Type: REG_DWORD

Radix: Decimal

Value: 65535

</li> Quit Registry Editor.</li></ol>

Note A token size of 65,535 supports approximately 900 groups that a user may be a member of. The SID information that is associated with each group may vary in size, and this can result in some variation in this value. For additional information about Kerberos Token Size configuration and support in Windows 2000, click the following article numbers to view the articles in the Microsoft Knowledge Base:

263693 Group Policy may not be applied to users belonging to many groups

297869 SMS administrator issues after you modify the Kerberos MaxTokenSize registry value

Note This problem involves an Internet Explorer Wininet buffering issue. In order to resolve this issue, the hotfix, Windows 2000 Service Pack 2 or Internet Explorer update must be applied and the registry parameter must be set on all client systems.

Keywords: kbhotfixserver kbqfe kbbug kbenv kberrmsg kbfix kbie501presp2fix kbqfe KB269643

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.