• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2212
  • Last Modified:

Help with Active Directory token size.

The kerberos SSPI package generated an output token of size %1 bytes, which was too large to fit in the token buffer of size %2 bytes, provided by process id %3.

The output SSPI token being too large is probably the result of the user %4 being a member of a large number of groups.

Increase the maximum token size, which in term is configured machine-wide via the following registry value: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\MaxTokenSize.

OK, I did this and it works, BUT my question is this:  This started erroring at 11:00AM yesterday.  NOTHING was changed for any people in any groups at all.  So the SID token, so to speak, should not have changed for ANY users.  Is there a way to find out exactly what changed at 11:00AM yesterday that would have caused the 12000 byte limit to the token size to be overmaxed causing this issue?  I have changed the MaxTokenSize to 65535 and the users affected are now working.  I had to change ALL servers that has some form of KDC authentication with this new parameter.  Without ANY changes being made what could have just "magically shoved it over the limit"?  I need to find this but no clue how to.  Any ideas?
  • 3
1 Solution
Note The size of the user security token grows together with the number of groups to which the user belongs.
JeffPartonAuthor Commented:
NJComputerNetworks, I figured out what causes the security token to grow.  In my question I noted that NO changes were made to any groups the users belong to in weeks, thus, no growth in security tokens was expected.  Then it just "stopped" working and errored.  I am trying to find out how to research what "straw broke the camels back" so to speak.  I am a little concerned that some sort of of virus has gotten in that I can't trace or detect, or whatever else may have happened.  "Something" made it start erroring, and all the things I can find point to group memberships, which HAS NOT changed.  Only 3 people have the ability to edit/add/delete group memberships and none of us changed anything.  I am curious if anyone knows of a way to find what specifically changed at 11:00 that initiated the error chain.

In other words, I know what the error is and "what" has happened, I am trying to find a way to find out what "specific addition" caused the security token to grow beyond the limit.  Is there a way of backtracking to find "what change" in AD caused the change.
In the
(click Current Page to download the document)

...there are some trouble shooting steps... as well as log locations you can look to see if there were some changes (that maybe were introduced inadvertently) assuming that you had the proper auditing turned on.

"Analyzing Tool Report Data            
You can use the Group Membership Evaluation task of the Ntdsutil.exe tool to help you recover from an access token limitation problem, such as a user not being able to log on. The purpose of this task is to generate data that will help you identify the source of the problem.
Best Practices      34
Auditing Changes to Active Directory      34
Monitoring Security Log Events      35
Filtering for Security Events in Event Viewer      36
Delegating Administration Tasks for Group Management      36

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now