Q: Our Helpdesk recently learned about a Kerberos authentication problem that occurs if users are member of more than 100 groups. What's the reason behind this problem, and how can we troubleshoot and resolve it?
A: Microsoft extended the base Kerberos protocol to enable a Kerberos ticket to include authorization data. A Windows Server 2003 ticket and ticket-granting ticket (TGT) both contain a special field called the Privilege Attribute Certificate (PAC). The PAC enables the Kerberos protocol to transport authorization data such as user group memberships and user rights. The Kerberos ticket has a fixed size, which indirectly also limits the PAC size. If a user is a member of many groups (100 groups or more), the PAC size might exceed the limit, and, as a consequence, Windows authentication and Group Policy processing might fail.
You can adjust the maximum size of a Kerberos ticket using the MaxTokenSize registry parameter. This parameter is a REG_DWORD value and is contained in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos registry subkey. In Windows 2000, the default MaxTokenSize value is 8000 bytes. In Microsoft Windows Server 2003 and Win2K Service Pack 2 (SP2), the default value is 12,000 bytes. You can learn more details about the MaxTokenSize parameter in the Microsoft article "New Resolution for Problems That Occur When Users Belong to Many Groups" (http://support.microsoft.com/?kbid=327825). To reduce the PAC size, Microsoft also implemented a new method to store authorization data in the PAC in Windows 2003 and Win2K SP4. This solution is also available as a hotfix for pre-Win2K SP4 machines. You can download the hotfix from http://support.microsoft.com/default.aspx?scid=fh;en-us;cntactms. This new PAC authorization data storage method can be summarized as follows:
- If the global and universal groups that a user belongs to are local to the domain the user is in, then only the Relative Identifier (RID) is stored.
- If the groups are local groups or are from other domains, the entire SID is stored.
tokensz /compute_tokensize /package:negotiate /use_delegation /target_server: You can find more information about using the tool in the "Troubleshooting Kerberos Errors" Microsoft white paper, which is available from http://www.microsoft.com/downloads/details.aspx?FamilyID=7dfeb015-6043-47db-8238-dc7af89c93f1&displaylang=en.
You can find more information about using the tool in the "Troubleshooting Kerberos Errors" Microsoft white paper, which is available from http://www.microsoft.com/downloads/details.aspx?FamilyID=7dfeb015-6043-47db-8238-dc7af89c93f1&displaylang=en.