Article ID: 920599
Article Last Modified on 11/1/2006
APPLIES TO
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Professional Edition
- Microsoft Windows XP Professional
- Microsoft Windows Server 2003, Standard Edition (32-bit x86)
- Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
- Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
- Microsoft Windows Server 2003, Web Edition
SYMPTOMS
You configure an unattended setup to install and join computers to a domain. These computers are running Microsoft Windows 2000, Microsoft Windows XP, or Microsoft Windows Server 2003. When you do this, you receive an error message that resembles the following:
CAUSE
This problem occurs when the Kerberos version 5 protocol token for a user account that is listed in the unattended answer file is too large.
Consider the following scenario. A user who performs the domain join as specified in the unattended answer file is a member of a security group either directly or by membership in another security group. In this scenario, the security identifier (SID) for each security group is added to the user's token. The Kerberos token is used to communicate that a SID must be added to the user's token.
However, the Kerberos token has a fixed size. If the required SID information exceeds the size of the Kerberos token, authentication is unsuccessful. The number of security groups varies, but the minimum number is approximately 70 to 80 security groups.
For many operations, NTLM authentication succeeds. Also, the Kerberos authentication problem may not be easy to find without analysis. However, operations that include Group Policy settings do not work at all.
WORKAROUND
To work around this issue, modify the Hivesys.inf file in i386 folder of the Windows distribution share.
Note Editing .inf files incorrectly can cause fatal errors to occur during the Setup process. We recommend that you create a backup copy of the Hivesys.inf file before you modify the file.
- Use any text editor, such as Notepad, to open the Hivesys.inf file. This file is located in the i386 folder of the distribution share.
- Locate the following line:
HKLM,"SYSTEM\CurrentControlSet\Control\MediaProperties",,0x00000012
- Above the line that you located in step 2, add a new line as follows:
HKLM,"SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters","MaxTokenSize",0x00010003,0xffff
- Save and then close the file.
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
REFERENCES
For more information about how to perform an unattended installation of Windows 2000 from a CD-ROM, click the following article number to view the article in the Microsoft Knowledge Base:
216258 How to perform an unattended installation of Windows from a CD-ROM
For more information about how to perform an unattended installation of Windows XP from a CD-ROM, click the following article number to view the article in the Microsoft Knowledge Base:
314459 How to perform an unattended installation of Windows from a CD-ROM
For more information about how to use Setup Manager to create an answer file in Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base:
323438 How to use Setup Manager to create an answer file in Windows Server 2003
For more information about unattended setup parameters for the Unattend.txt file, click the following article number to view the article in the Microsoft Knowledge Base:
155197 Unattended setup parameters for Unattend.txt file
Keywords: kbtshoot kbprb KB920599
