Article ID: 867581
Article Last Modified on 3/2/2007
APPLIES TO
- Microsoft SQL Server 2000 Standard Edition
- Microsoft SQL Server 2000 Desktop Engine (Windows)
Bug #: 471577 (Shiloh)
Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows registry
SYMPTOMS
When you try to connect to an instance of Microsoft SQL Server 2000 or to an instance of SQL Server 2000 Desktop Engine (also known as MSDE 2000) by using Windows Authentication, you may receive the following error message:
CAUSE
This problem may occur if the registry value of the MaxTokenSize parameter for Kerberos is high. Typically, this problem occurs when the registry value of the MaxTokenSize parameter is set to a hexadecimal value of 0x100000, instead of a decimal value of 65,535.
WORKAROUND
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
To work around this problem, set the base of the MaxTokenSize registry value to decimal, and then set the registry value to a lower value. To do this, follow these steps:
At a command prompt, run the following command to start Registry Editor:
regedit
- Locate and then click the following registry key in Registry Editor:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
- In the right pane, right-click MaxTokenSize, and then click Modify.
- In the Edit DWORD Value dialog box, click Decimal in the Base box.
- In the Value data box, type a lower value, and then click OK.
- Close Registry Editor.
- Restart the computer.
MORE INFORMATION
Steps to reproduce the problem
On a computer that is running the instance of SQL Server 2000 or the instance of SQL Server 2000 Desktop Engine, follow these steps:
At a command prompt, run the following command to start Registry Editor:
regedit
- Locate and then click the following registry key in Registry Editor:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Note If this registry key is not present, create the registry key. To do this, follow these steps:
- Locate and then click the following registry key in Registry Editor:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos
- On the Edit menu, point to New, and then click Key.
- In the left pane, change the name of the new registry key to Parameters.
- Click the Parameters registry key.
- Locate and then click the following registry key in Registry Editor:
- On the Edit menu, point to New, and then click DWORD Value.
- In the right pane, change the name of the new registry value to MaxTokenSize.
- In the right pane, right-click MaxTokenSize, and then click Modify.
- In the Edit DWORD Value dialog box, click Decimal in the Base box.
- In the Value data box, type 65,535.
- Click OK.
- Close Registry Editor.
- Restart the computer.
Use SQL Query Analyzer to connect to the instance of SQL Server 2000 or SQL Server 2000 Desktop Engine by using Windows Authentication. You can also run the following command at a command prompt:
osql -E -S Instance Name of SQL Server 2000 or SQL Server 2000 Desktop Engine
REFERENCES
263693 Group Policy may not be applied to users belonging to many groups
297869 SMS administrator issues after you modify the Kerberos MaxTokenSize registry value
Additional query words: win auth osql msde fails failure
Keywords: kberrmsg kbregistry kbkerberos kbprb kbauthentication KB867581