RESOLUTION

Service pack information

To resolve this problem, obtain the latest service pack for Exchange Server 2003 . For more information, click the following article number to view the article in the Microsoft Knowledge Base:

Other resolution methods

This problem involves a buffering problem with the Wininet component in Microsoft Internet Explorer. To resolve this problem, use one of the following methods:

Method 1

1. Install the hotfix that is listed in the following article:

   277741 Internet Explorer logon fails due to an insufficient buffer for Kerberos

2. Set the MaxTokenSize registry value on all client computers.

Method 2

1. Install Microsoft Windows 2000 Service Pack 2 or a later Windows 2000 service pack.
2. Set the MaxTokenSize registry value on all client computers.

Method 3

1. Update Microsoft Internet Explorer.
   
   To obtain the latest version of Internet Explorer, visit the following Microsoft Web site.

   http://www.microsoft.com/ie

2. Set the MaxTokenSize registry value on all client computers.

How to set the MaxTokenSize registry value

This resolution provides a registry value that you can use to increase the size of the Kerberos version 5 protocol token. For example, if you increase the token size to 64 kilobytes (KB), a user can belong to more than 1600 groups. Because of the associated security identifier (SID) information, this number may vary.

To set this registry value, follow these steps:

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following subkey:

   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos

   Note If the Parameters subkey is not listed under the Kerberos subkey, follow these steps:

   1. Right-click Kerberos, point to New, and then click Key.
   2. Type Parameters, and then press ENTER.
3. Right-click the Parameters subkey, point to New, click DWORD Value, and then type MaxTokenSize.
4. Double-click MaxTokenSize, set the decimal value to 65535, and then click OK.
   
   Note The default decimal value for the MaxTokenSize registry value is 12000. Microsoft recommends that you set this decimal value to 65535 or that you set the hexadecimal value to FFFF. If you incorrectly set this value to 65535 hexadecimal, Kerberos authentication operations may fail. Additionally, programs may return errors. The 65535 hexadecimal value is an extremely large value.
5. Quit Registry Editor.
6. After you set the MaxTokenSize registry value, and after the computer is updated, restart the computer.
   
   Note Although you must update the domain controllers individually, you can use Group Policy settings to set this registry value for client computers that have also been updated. You must configure all client computers and all servers in the domain with this registry modification. You must also install Microsoft Windows 2000 Service Pack 2 or the hotfix in Method 1 on all the computers.