Q: Our Helpdesk recently learned about a Kerberos authentication problem that occurs if users are member of more than 100 groups. What's the reason behind this problem, and how can we troubleshoot and resolve it?

A: Microsoft extended the base Kerberos protocol to enable a Kerberos ticket to include authorization data. A Windows Server 2003 ticket and ticket-granting ticket (TGT) both contain a special field called the Privilege Attribute Certificate (PAC). The PAC enables the Kerberos protocol to transport authorization data such as user group memberships and user rights. The Kerberos ticket has a fixed size, which indirectly also limits the PAC size. If a user is a member of many groups (100 groups or more), the PAC size might exceed the limit, and, as a consequence, Windows authentication and Group Policy processing might fail.

You can adjust the maximum size of a Kerberos ticket using the MaxTokenSize registry parameter. This parameter is a REG_DWORD value and is contained in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos registry subkey. In Windows 2000, the default MaxTokenSize value is 8000 bytes. In Microsoft Windows Server 2003 and Win2K Service Pack 2 (SP2), the default value is 12,000 bytes. You can learn more details about the MaxTokenSize parameter in the Microsoft article "New Resolution for Problems That Occur When Users Belong to Many Groups" (http://support.microsoft.com/?kbid=327825). To reduce the PAC size, Microsoft also implemented a new method to store authorization data in the PAC in Windows 2003 and Win2K SP4. This solution is also available as a hotfix for pre-Win2K SP4 machines. You can download the hotfix from http://support.microsoft.com/default.aspx?scid=fh;en-us;cntactms. This new PAC authorization data storage method can be summarized as follows:

  • If the global and universal groups that a user belongs to are local to the domain the user is in, then only the Relative Identifier (RID) is stored.
  • If the groups are local groups or are from other domains, the entire SID is stored.
This means, for example, that instead of storing an “S-1-5-21-1275210071-789336058-1957994488-3140” value (the SID), you would store only the “3140” value (the RID) in the PAC. Microsoft provides a special process on the client and server side to export the RIDs back to the SID format during the Windows authorization process. Even on platforms for which this new PAC authorization data storage method is available, you might need to adjust the maxtokensize registry value or reduce a user's group memberships. In the summer of 2004, Microsoft released a special tool called the Kerberos token size tool (tokensz.exe) to troubleshoot problems related to the Kerberos token size. You can download the tool from http://www.microsoft.com/downloads/details.aspx?FamilyID=4a303fa5-cf20-43fb-9483-0f0b0dae265c&displaylang=en. The following tokensz command will list the current system value for maxtokensize and the size of the current token.

tokensz /compute_tokensize /package:negotiate /use_delegation /target_server:

You can find more information about using the tool in the "Troubleshooting Kerberos Errors" Microsoft white paper, which is available from http://www.microsoft.com/downloads/details.aspx?FamilyID=7dfeb015-6043-47db-8238-dc7af89c93f1&displaylang=en.