JSI Tip 9996. Authentication may fail if a user is a member of too many groups?


If a user is a member of from 70 - 120 or more groups, Kerberos authentication may fail because a pre-allocated PAC (Privilege Attribute Certificate) buffer may fill up.

NOTE: The error is usually reported as 0x3C - KRB_ERR_GENERIC: Generic error.

You can use the Windows Server 2003 Kerberos Token Size, Tokensz.exe to calculate / show the number of groups:

tokensz /calc_groups UserName \[/domain:Domain\] \[/user:AuthorizedUserName\] \[/Password:AuthorizedUserPassword\] \[/system\]

Where:

/calc_groups                     - must be run on Windows Server 2003 DC.

UserName                         - The user to enumerate.

/domain:Domain                   - The domain that UserName is a member of.

/user:AuthorizedUserName         - Account with permission to query group membership.

/Password:AuthorizedUserPassword - The password for /user:AuthorizedUserName.

/system                          - Run under the Local System account context.
NOTE: Nested groups are also shown.

When I ran tokensz /calc_groups Jerry on my Windows Server 2003 PDC emulator, I received:

Username = Jerry
TS Session ID: 0
User
    S-1-5-21-7899789789-123123123-3712237043-1117
Groups:
 00   S-1-5-21-7899789789-123123123-3712237043-512      Attributes - Mandatory Default Enabled
 01   S-1-1-0   Attributes - Mandatory Default Enabled
 02   S-1-5-32-544      Attributes - Mandatory Default Enabled Owner
 03   S-1-5-32-554      Attributes - Mandatory Default Enabled
 04   S-1-5-32-545      Attributes - Mandatory Default Enabled
 05   S-1-5-2   Attributes - Mandatory Default Enabled
 06   S-1-5-11  Attributes - Mandatory Default Enabled
 07   S-1-5-15  Attributes - Mandatory Default Enabled
 08   S-1-5-5-0-76583476        Attributes - Mandatory Default Enabled LogonId
 09   S-1-5-21-7899789789-123123123-3712237043-1129     Attributes - Mandatory Default Enabled
 10   S-1-5-21-7899789789-123123123-3712237043-1135     Attributes - Mandatory Default Enabled
 11   S-1-5-21-7899789789-123123123-3712237043-1130     Attributes - Mandatory Default Enabled
 12   S-1-5-21-7899789789-123123123-3712237043-518      Attributes - Mandatory Default Enabled
 13   S-1-5-21-7899789789-123123123-3712237043-519      Attributes - Mandatory Default Enabled
Primary Group:
    S-1-5-21-7899789789-123123123-3712237043-512
Privs

 00 0x000000008 SeSecurityPrivilege               Attributes - Enabled Default
 01 0x000000011 SeBackupPrivilege                 Attributes - Enabled Default
 02 0x000000012 SeRestorePrivilege                Attributes - Enabled Default
 03 0x00000000c SeSystemtimePrivilege             Attributes - Enabled Default
 04 0x000000013 SeShutdownPrivilege               Attributes - Enabled Default
 05 0x000000018 SeRemoteShutdownPrivilege         Attributes - Enabled Default
 06 0x000000009 SeTakeOwnershipPrivilege          Attributes - Enabled Default
 07 0x000000014 SeDebugPrivilege                  Attributes - Enabled Default
 08 0x000000016 SeSystemEnvironmentPrivilege      Attributes - Enabled Default
 09 0x00000000b SeSystemProfilePrivilege          Attributes - Enabled Default
 10 0x00000000d SeProfileSingleProcessPrivilege   Attributes - Enabled Default
 11 0x00000000e SeIncreaseBasePriorityPrivilege   Attributes - Enabled Default
 12 0x00000000a SeLoadDriverPrivilege             Attributes - Enabled Default
 13 0x00000000f SeCreatePagefilePrivilege         Attributes - Enabled Default
 14 0x000000005 SeIncreaseQuotaPrivilege          Attributes - Enabled Default
 15 0x000000019 SeUndockPrivilege                 Attributes - Enabled Default
 16 0x00000001c Unknown Privilege                 Attributes - Enabled Default
 17 0x00000001d Unknown Privilege                 Attributes - Enabled Default
 18 0x00000001e Unknown Privilege                 Attributes - Enabled Default
 19 0x00000001b SeEnableDelegationPrivilege       Attributes - Enabled Default
 20 0x000000006 SeUnsolicitedInputPrivilege       Attributes - Enabled Default
 21 0x000000017 SeChangeNotifyPrivilege           Attributes - Enabled Default

Auth ID  0:45b2a27
Impersonation Level:  Identification
TokenType  Impersonation
When I ran tokensz /compute_tokensize on my Windows XP workstation, I received:
Name: Kerberos Comment: Microsoft Kerberos V1.0
Current PackageInfo->MaxToken: 12000

Using user to user
QueryKeyInfo:
Signature algorithm =
Encrypt algorithm = RSADSI RC4-HMAC
KeySize = 128
Flags = 2083e
Signature Algorithm = -138
Encrypt Algorithm = 23
   Start:12/21/2005 6:09:07
  Expiry:12/21/2005 12:36:57
Current Time: 12/21/2005 6:09:08
MaxToken (complete context)  1193
The command shows that I am only using 1193 out of a max of 12000 for PAC.



Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish