Microsoft KB Archive/263693

From BetaArchive Wiki

Article ID: 263693

Article Last Modified on 2/22/2007


APPLIES TO

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional Edition


This article was previously published under Q263693

Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry


SYMPTOMS

If a user is a member of many groups either directly or because of group nesting, Kerberos authentication may not work. The Group Policy object (GPO) may not be applied to the user and the user may not be validated to use network resources.

CAUSE

The Kerberos token has a fixed size. If a user is a member of a group either directly or by membership in another group, the security ID (SID) for that group is added to the user's token. For a SID to be added to the user's token, it must be communicated by using the Kerberos token. If the required SID information exceeds the size of the token, authentication does not succeed. The number of groups varies, but the limit is approximately 70 to 80 groups.

For many operations, Windows NTLM authentication succeeds; the Kerberos authentication problem may not be evident without analysis. However, operations that include GPO application do not work at all.

RESOLUTION

Service pack information

To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack


Hotfix information

A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Only apply it to systems that are experiencing this specific problem. This hotfix may receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next Windows 2000 Service Pack that contains this hotfix.

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support


Note In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

File information

The English version of this hotfix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel. 

Date        Time    Version        Size     File name
--------------------------------------------------------

01/25/2001  02:24p  5.0.2195.2842  130,320  Adsldpc.dll
01/25/2001  02:24p  5.0.2195.2835  348,944  Advapi32.dll
01/25/2001  02:23p  5.0.2195.2816  502,032  Instls5.dll
01/25/2001  02:24p  5.0.2195.2842  140,560  Kdcsvc.dll
01/17/2001  01:17p  5.0.2195.2842  198,928  KERBEROS.dll
12/19/2000  09:13p  5.0.2195.2808   69,456  Ksecdd.sys
01/25/2001  02:24p  5.0.2195.2816  484,112  Lsasrv.dll
01/02/2001  08:45a  5.0.2195.2816   33,552  Lsass.exe
01/23/2001  05:06p  5.0.2195.2850  108,816  Msv1_0.dll
01/25/2001  02:24p  5.0.2195.2844  912,656  Ntdsa.dll
01/25/2001  02:24p  5.0.2195.2780  363,280  Samsrv.dll
01/25/2001  02:24p  5.0.2195.2797  128,272  Wldap32.dll

Note that you must use a registry parameter that is available with this hotfix to increase the Kerberos token size. See the "More Information" section of this article for additional information.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section. This problem was first corrected in Windows 2000 Service Pack 2.

MORE INFORMATION

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

A registry parameter is available after you apply this hotfix that you can use to increase the Kerberos token size. For example, increasing the token size to 65 KB allows a user to be present in more than 900 groups. Because of the associated SID information, this number may vary.

To use this parameter:

  1. Start Registry Editor (Regedt32.exe).
  2. Locate and click the following key in the registry:

    System\CurrentControlSet\Control\Lsa\Kerberos\Parameters

  3. If this key is not present, create the key. To do so:
    1. Click the following key in the registry:

      System\CurrentControlSet\Control\Lsa\Kerberos

    2. On the Edit menu, click Add Key.
    3. Create a Parameters key.
    4. Click the new Parameters key.
  4. On the Edit menu, click Add Value, and then add the following registry value:

    Value name: MaxTokenSize
    Data type: REG_DWORD
    Radix: Decimal
    Value data: 65535

  5. Quit Registry Editor.

The default value for MaxTokenSize is 12000 decimal. We recommend that you set this value to 65535 decimal, FFFF hexadecimal. If you set this value incorrectly to 65535 hexadecimal (an extremely large value) Kerberos authentication operations may fail, and programs may return errors. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

297869 SMS administrator issues after you modify the Kerberos MaxTokenSize registry value


After you set the value and the computer is updated, restart the computer. You can use Group Policy settings to set this value for all computers. If you add the registry key to computers before you apply the hotfix or Windows 2000 SP2, no changes take effect.

For additional information about this registry value, click the following article number to view the article in the Microsoft Knowledge Base:

313661 Error Message: "Timeout expired" occurs when you connect to SQL Server over TCP/IP and the Kerberos MaxTokenSize is greater than 0xFFFF


300367 DCOM client may put memory on the wire


Frequently Asked Questions

  • Question: Do I apply this hotfix from the hotfix package or from Windows 2000 Service Pack 2?


Answer: You can apply either the Q263693 hotfix or apply Windows 2000 SP2.

  • Question: Do I have to modify the registry as mentioned in this article after I apply this hotfix?


Answer: By default, Microsoft supports the user belonging to 70-80 groups. If you want to support more groups, then you have to adjust the value in the registry accordingly. Follow the guideline example provided in this article.

  • Question: Where do I have to apply this hotfix and make the registry changes?


Answer: You must implement the registry setting on every computer in the enterprise that is running Windows 2000 and/or Microsoft Windows XP. This includes domain controllers, member servers, and client computers. The hotfix is also required for computers that are running Windows 2000 Service Pack 1 or earlier.

  • Question: I log on to the domain through Terminal Server Session (TS is running on Member Servers), so where do I have to install the fix?


Answer: Install the Q263693 Kerberos fixes on the domain controllers only.

  • Question: How does this hotfix affect the system performance on authentication?


Answer: The token size will be a statically defined data structure. 65K is a relatively low penalty to pay for most systems. However, if the user is a member of ~1000 groups, the authentication time will be greater than if the number of groups is smaller. In other words, if the token size is increased, there should be no observable performance penalty other than memory resource consumption. This applies to operations including GPO initialization. This is because the actual Kerberos information sent on the wire is not of a fixed size. Its size depends upon the group/SID information required.

  • Question: How does this affect the memory resource on domain controllers and workstations?


Answer: The domain controller generates the User Access Ticket, but the allocation is on the workstation. So you will see the insignificant memory usage on the workstations depending on the Token size you set in the registry.

References

For additional informations, click the following article number to view the article in the Microsoft Knowledge Base:

277741 Internet Explorer logon fails due to an insufficient buffer for Kerberos


297869 SMS administrator issues after you modify the Kerberos MaxTokenSize registry value


For additional information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the following article number to view the article in the Microsoft Knowledge Base:

249149 Installing Microsoft Windows 2000 and Windows 2000 hotfixes


Keywords: kbhotfixserver kbqfe kbbug kbfix kbwin2000presp2fix KB263693



Send feedback to Microsoft

© Microsoft Corporation. All rights reserved.


Retrieved from ‘https://www.betaarchive.com/wiki/index.php?title=Microsoft_KB_Archive/263693&oldid=145144
the Creative Commons 3.0 ShareAlike (except the Microsoft KB Archive).
Powered by MediaWiki