Microsoft KB Archive/275266

= Error Message: During a Logon Attempt, the User's Security Context Accumulated Too Many Security IDs =

Article ID: 275266

Article Last Modified on 10/30/2006

-

APPLIES TO


 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows XP Professional
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server
 * Microsoft Windows NT Server 4.0, Terminal Server Edition
 * Microsoft Windows NT Server 4.0 Standard Edition
 * Microsoft Windows NT Server 4.0 Enterprise Edition

-



This article was previously published under Q275266



SYMPTOMS
When you try to log on to a domain or connect to a network share on a server, you may receive the following error code 1384 error message:

During a logon attempt, the user's security context accumulated too many security IDs.



CAUSE
This behavior occurs because the versions of Windows that are listed at the beginning of this article contain a limit that prevents a user's security access token from containing more than 1000 security identifiers (SIDs). This means that when a user is being validated for access rights to establish a new session with a server, that user must not be a member of more than 1000 groups in that server's domain. If this limit is exceeded, access to the server is denied, and the error code 1384 is returned to the user.

If the server that the user connects to is in a second domain (for example, if the user connects to a server in a Windows 2000 resource domain), the total number of groups the user is a member of is determined by adding the user's group membership in that second domain to the user's global group membership in their domain.



STATUS
This is expected behavior for the products that are listed at the beginning of this article.This behavior is by design.



MORE INFORMATION
If a group from the user's domain is included in multiple groups in the second domain, the user's total group membership is not just incremented by one for their inclusion in this group. Instead, it is additionally incremented by the number of groups in the second domain that this group is a member of.

For example, if you add a user to a global group in their domain, and add this global group to four local groups in a second domain, the user's total group membership (and SID count) in that second domain is increased by five, instead of just being increased by one as you may expect.

Keywords: kberrmsg kbnetwork kbprb KB275266

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.