MaxTokenSize and Kerberos Token Bloat

  • [アーティクル]

 

Overview of MaxTokenSize

The MaxTokenSize by default is 12,000 bytes. This has been the default value since Windows 2000 SP2 and still remains in Windows 7 and Windows 2008 R2. As company’s grow so do the groups within your organization.  If your Kerberos token becomes too big your users will receive error messages during login and applications that use Kerberos authentication will potentially fail as well.

 

 

  Updated Guidance and Recommendations: 

In the past we had guidance that stated you could increase the MaxTokenSize registry entry to 65535. But because of HTTP’s base64 encoding of authentication context tokens limits starting with Windows Server 2012, the default value of the MaxTokenSize registry entry is 48000 bytes. This is why we are recommending that you set the MaxTokenSize no larger than 48000 bytes on any OS version.

 

 

How to reduce Kerberos token bloat

To reduce the Kerberos Ticket Size you can:

  •  Reduce/consolidate group membership
  • Clean up SID History
  • Limit the number of users that are configured to use "trusted for delegation". The account that are configured to use "trusted for delegation" the buffer requirements for each SID may double.

 

How to prevent Kerberos login errors due to token bloat

  To allow a user to be a member of more than 900 groups you can increase the size of the MaxTokenSize by modify the following registry key on all workstations.

 To use this parameter:

  1. Start Registry Editor (Regedt32.exe).
  1. Locate and click the following key in the registry:
    System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
  1. If this key is not present, create the key. To do so:
    1. Click the following key in the registry:
      System\CurrentControlSet\Control\Lsa\Kerberos
    2. On the Edit menu, click Add Key.
    3. Create a Parameters key.
    4. Click the new Parameters key.
  1. On the Edit menu, click Add Value, and then add the following registry value:
    Value name: MaxTokenSize
    Data type: REG_DWORD
    Radix: Decimal
    Value data: 48000
  2. Quit Registry Editor.

 

 

However keep in mind there is a hard limit of 1,015 groups a user can be a member of. If a user tries to log into a computer by using a local or domain account and they are a member of more than 1,015 groups they will get this Logon Message: The system cannot log you on due to the following error: During a logon attempt, the user’s security context accumulated too many security IDs. Please try again or consult your system administrator.

 

How to use Group Policy to add the MaxTokenSize registry entry to multiple computers

https://support.microsoft.com/kb/938118/EN-US

New resolution for problems with Kerberos authentication when users belong to many groups
https://support.microsoft.com/kb/327825

"HTTP 400 - Bad Request (Request Header too long)" error in Internet Information Services (IIS)
https://support.microsoft.com/default.aspx?scid=kb;EN-US;2020943

Users who are members of more than 1,015 groups may fail logon authentication
https://support.microsoft.com/kb/328889/

Group Policy may not be applied to users belonging to many groups
https://support.microsoft.com/kb/263693/

Comments

  1. You dont state cleary what is the scope of the registry setting above? All workstations / all member servers / all DCs / all computers in the domain / forest?
  2. if registry is set, is it still required to adjust / hand-tune all IIS servers / Exchange servers to also accept the bloated tokens?
  • Anonymous
    March 25, 2013
    Thanks for the feedback soder. I will update my blog post with recommended guidance on where the MaxTokenSize registry key should be applied to. To answer your questions:
  1. If you are experiencing a token bloat issue in your environment you can create a group policy and link it to your domain this way all your workstations and servers get the registry key.
  2. If you are modify the MaxTokenSize registry key on workstations and servers more than likely you will have to modify IIS. For additional guidance on increasing the MaxFieldLength and MaxRequestBytes registry settings for IIS servers see this link: support.microsoft.com/.../2020943

  • Anonymous
    June 17, 2013
    "To allow a user to be a member of more than 900 groups." More information around how to approximately calculate the maximum number of groups a single user can be a member of would be VERY helpful  e.g. are you saying that by default that the MaxTokenSize is 12,000 bytes which is enough for a user to be a member of UP TO  900 security groups? Also how is the max number of groups calculated i.e. does the group type have an impact e.g. domain local or Global security group?  (12,000 bytes divided by x number of domain local groups )

  • Anonymous
    August 08, 2013
    @shanec33:  Technically your response is still not valid.  Link the GPO doesn't necessarily mean  it will be applied to everything in Domain.  Should say clearly , "Apply this GPO to DC, Member-Servers and all Workstations".  Please keep in mind the IIS Error thing before applying it.   Please correct me if I understood it wrong or miss represented something wrong.  

  • Anonymous
    August 26, 2013
    So Is there any issue if we keep MaxTokenSize registry to 65535??

  • Anonymous
    December 03, 2013
    In case anyone wanted to know. Domain local group sid's are 40 bytes each in a kerberos ticket Domain Global and universal groups are 8 bytes each There is a base token size of 1200bytes So you can calculate a token buffer size requirement 1200 + (40 x # of domain local groups) + (8 x  # of  global/universal)

  • Anonymous
    December 23, 2013
    Pingback from get-group-membership-count.ps1 - PowerSloth

  • Anonymous
    July 10, 2014
    "Glad" to see after 1 year since my last visit, the resolution of this issue is still not considered to be COMPLETE in this blogpost.

  • Anonymous
    November 24, 2014
    Soder is a clown.

  • Anonymous
    January 19, 2015
    Still "Reboot is required or not" not mentioned in above steps, Rest all information is quite useful and easy to understand. Thank you!

  • Anonymous
    February 26, 2015
    Reboot is Required.

  • Anonymous
    May 24, 2015
    The comment has been removed