If a user is a member of from 70 - 120 or more groups, Kerberos authentication may fail because a pre-allocated PAC
(Privilege Attribute Certificate) buffer may fill up.
NOTE: The error is usually reported as 0x3C - KRB_ERR_GENERIC: Generic error.
You can use the Windows Server 2003 Kerberos Token Size, Tokensz.exe to calculate / show the number of groups:
tokensz /calc_groups UserName \[/domain:Domain\] \[/user:AuthorizedUserName\] \[/Password:AuthorizedUserPassword\] \[/system\]
Where:
/calc_groups - must be run on Windows Server 2003 DC. UserName - The user to enumerate. /domain:Domain - The domain that UserName is a member of. /user:AuthorizedUserName - Account with permission to query group membership. /Password:AuthorizedUserPassword - The password for /user:AuthorizedUserName. /system - Run under the Local System account context.NOTE: Nested groups are also shown.
When I ran tokensz /calc_groups Jerry on my Windows Server 2003 PDC emulator, I received:
Username = Jerry TS Session ID: 0 User S-1-5-21-7899789789-123123123-3712237043-1117 Groups: 00 S-1-5-21-7899789789-123123123-3712237043-512 Attributes - Mandatory Default Enabled 01 S-1-1-0 Attributes - Mandatory Default Enabled 02 S-1-5-32-544 Attributes - Mandatory Default Enabled Owner 03 S-1-5-32-554 Attributes - Mandatory Default Enabled 04 S-1-5-32-545 Attributes - Mandatory Default Enabled 05 S-1-5-2 Attributes - Mandatory Default Enabled 06 S-1-5-11 Attributes - Mandatory Default Enabled 07 S-1-5-15 Attributes - Mandatory Default Enabled 08 S-1-5-5-0-76583476 Attributes - Mandatory Default Enabled LogonId 09 S-1-5-21-7899789789-123123123-3712237043-1129 Attributes - Mandatory Default Enabled 10 S-1-5-21-7899789789-123123123-3712237043-1135 Attributes - Mandatory Default Enabled 11 S-1-5-21-7899789789-123123123-3712237043-1130 Attributes - Mandatory Default Enabled 12 S-1-5-21-7899789789-123123123-3712237043-518 Attributes - Mandatory Default Enabled 13 S-1-5-21-7899789789-123123123-3712237043-519 Attributes - Mandatory Default Enabled Primary Group: S-1-5-21-7899789789-123123123-3712237043-512 Privs 00 0x000000008 SeSecurityPrivilege Attributes - Enabled Default 01 0x000000011 SeBackupPrivilege Attributes - Enabled Default 02 0x000000012 SeRestorePrivilege Attributes - Enabled Default 03 0x00000000c SeSystemtimePrivilege Attributes - Enabled Default 04 0x000000013 SeShutdownPrivilege Attributes - Enabled Default 05 0x000000018 SeRemoteShutdownPrivilege Attributes - Enabled Default 06 0x000000009 SeTakeOwnershipPrivilege Attributes - Enabled Default 07 0x000000014 SeDebugPrivilege Attributes - Enabled Default 08 0x000000016 SeSystemEnvironmentPrivilege Attributes - Enabled Default 09 0x00000000b SeSystemProfilePrivilege Attributes - Enabled Default 10 0x00000000d SeProfileSingleProcessPrivilege Attributes - Enabled Default 11 0x00000000e SeIncreaseBasePriorityPrivilege Attributes - Enabled Default 12 0x00000000a SeLoadDriverPrivilege Attributes - Enabled Default 13 0x00000000f SeCreatePagefilePrivilege Attributes - Enabled Default 14 0x000000005 SeIncreaseQuotaPrivilege Attributes - Enabled Default 15 0x000000019 SeUndockPrivilege Attributes - Enabled Default 16 0x00000001c Unknown Privilege Attributes - Enabled Default 17 0x00000001d Unknown Privilege Attributes - Enabled Default 18 0x00000001e Unknown Privilege Attributes - Enabled Default 19 0x00000001b SeEnableDelegationPrivilege Attributes - Enabled Default 20 0x000000006 SeUnsolicitedInputPrivilege Attributes - Enabled Default 21 0x000000017 SeChangeNotifyPrivilege Attributes - Enabled Default Auth ID 0:45b2a27 Impersonation Level: Identification TokenType ImpersonationWhen I ran tokensz /compute_tokensize on my Windows XP workstation, I received:
Name: Kerberos Comment: Microsoft Kerberos V1.0 Current PackageInfo->MaxToken: 12000 Using user to user QueryKeyInfo: Signature algorithm = Encrypt algorithm = RSADSI RC4-HMAC KeySize = 128 Flags = 2083e Signature Algorithm = -138 Encrypt Algorithm = 23 Start:12/21/2005 6:09:07 Expiry:12/21/2005 12:36:57 Current Time: 12/21/2005 6:09:08 MaxToken (complete context) 1193The command shows that I am only using 1193 out of a max of 12000 for PAC.
0 comments
Hide comments