Recently I’ve faced a quite interesting problem when some users are unable to authenticate on some domain services due to the Kerberos token oversize. In this article, we’ll try to consider the peculiarities of building the Kerberos token, how a user can define its size and how to extend the buffer to store it.
Some users haven’t been able to access some deployed services. In particular, there has been an error when trying to connect to the RDS farm (“Access denied” error).
In the logs of Remote Desktop servers, the error Event Id 6 has been written:
The kerberos SSPI package generated an output token of size 21043 bytes, which was too large to fit in the token buffer of size 12000 bytes, provided by process id 4.
The output SSPI token being too large is probably the result of the user user@domain being a member of a large number of groups.
It is recommended to minimize the number of groups a user belongs to. If the problem can not be corrected by reduction of the group memberships of this user, please contact your system administrator to increase the maximum token size, which in term is configured machine-wide via the following registry value: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\MaxTokenSize.
The output SSPI token being too large is probably the result of the user user@domain being a member of a large number of groups.
It is recommended to minimize the number of groups a user belongs to. If the problem can not be corrected by reduction of the group memberships of this user, please contact your system administrator to increase the maximum token size, which in term is configured machine-wide via the following registry value: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\MaxTokenSize.
When trying to connect to SQL Server, the following error appeared in event log:
Event Id – 40960
The Security System detected an authentication error for the server XXXXXX. The failure code from authentication protocol Kerberos was “{Buffer Too Small}
The buffer is too small to contain the entry. No information has been written to the buffer.(0xc0000023).
The buffer is too small to contain the entry. No information has been written to the buffer.(0xc0000023).
The check of the rights to access these resources hasn’t shown any issues. During the further inspection, the following dependency has unveiled: all users facing the problem were the members of a lot of Active Directory security groups (over 200, including subgroups). Thus, we have come to a conclusion that the problem occurs due to the oversize of the Kerberos ticket used to authenticate users.
The Kerberos token Size
The size of the Kerberos tocken depends on the following things:
- The number of Active Directory security groups (including subgroups), a user is the member of (distribution groups are not included in the token)
- Use of SIDHistoryNote. The ticket oversize issue quite often occurs when users migrate between Active Directory domains and the old domain resources are accessed using SIDHistory
- Type of authentication used (a usual password or a multifactor, like smartcards)
- Whether the account is trusted for delegation
Kerberos uses the buffer to store the authentication data and transfers its size to the applications using Kerberos. The system parameter MaxTokenSize defines the size of the buffer. The buffer size matters, since some protocols, like RPC or HTTP, use it to set the memory block for authentication. If the size of the user authentication data is larger than the value in MaxTokenSize, the authentication fails. This can explain the authentication errors when accessing IIS, while the file access to the network resources is retained.
By default, the size of the Kerberos buffer (MaxTokenSize) is
- 12 KB in Windows 7 and Windows Server 2008R2
- Extended to 48 KB in Windows 8 and Windows Server 2012
Thus, if a user is the member of a lot of groups, all group descriptions do not fit in 12 KB, and when trying to access some resources, the authentication error appears.
Tip. There is a hard limit to the number of AD groups a user can be a member of. This limit is 1015 groups. If there are more groups, the following error occurs when a user logs on:The system cannot log you on due to the following error: During a logon attempt, the user’s security context accumulated too many security IDs. Please try again or consult your system administrator
How to Get the Current Size of the Kerberos Ticket
Windows doesn’t have the convenient built-in tools that allow to get the Kerberos token size for a certain user.
To know the current ticket size, use a third-party Powershell script CheckMaxTokenSize.ps1 (by Tim Springston — Microsoft). This script allows to get the current size of the token for a chosen user, the number of security groups in which it is included, the number of SIDs stored in user SIDHistory, and whether the account is trusted for delegation.
To use this script, download it following the link above and save as CheckMaxTokenSize.ps1
Disable script check:
Go to the directory containing the script:
And get the size of the Kerberos ticket for the user jsmith:
The script prompts to specify the environment for which the size of the user token has to be calculated. There are two variants:
1 — for Windows 7 / Windows Server 2008 R2 or earlier (token size 12 KB)
4 — for Windows 8 / Windows Server 2012 or later (token size 48 KB)
Press 1, and then ENTER. In some time (3-4 minutes) the script will return the following information:
Token Details for user jsmith
**********************************
User’s domain is CORP.
Total estimated token size is 22648.
For access to DCs and delegatable resources the total estimated token delegation size is 45269.
Effective MaxTokenSize value is: 12000
Problem detected. The token was too large for consistent authorization. Alter the maximum size per KB http://support.microsoft.com/kb/327825 and consider reducing direct and transitive group memberships.
*Token Details for jsmith*
There are 957 groups in the token.
There are SIDs in the users SIDHistory.
There are 248 SIDs in the users groups SIDHistory attributes.
There are 248 total SIDHistories for user and groups user is a member of.
1088 are domain global scope security groups.
37 are domain local security groups.
86 are universal security groups inside of the users domain.
0 are universal security groups outside of the users domain.
>Group Details included in output file at C:\Windows\temp\TokenSizeDetails.txt
SIDHistory details included in output file at C:\Windows\temp\TokenSizeDetails.txt
**********************************
User’s domain is CORP.
Total estimated token size is 22648.
For access to DCs and delegatable resources the total estimated token delegation size is 45269.
Effective MaxTokenSize value is: 12000
Problem detected. The token was too large for consistent authorization. Alter the maximum size per KB http://support.microsoft.com/kb/327825 and consider reducing direct and transitive group memberships.
*Token Details for jsmith*
There are 957 groups in the token.
There are SIDs in the users SIDHistory.
There are 248 SIDs in the users groups SIDHistory attributes.
There are 248 total SIDHistories for user and groups user is a member of.
1088 are domain global scope security groups.
37 are domain local security groups.
86 are universal security groups inside of the users domain.
0 are universal security groups outside of the users domain.
>Group Details included in output file at C:\Windows\temp\TokenSizeDetails.txt
SIDHistory details included in output file at C:\Windows\temp\TokenSizeDetails.txt