Help with Active Directory token size.

Posted on 2009-12-17
Last Modified: 2012-05-08
The kerberos SSPI package generated an output token of size %1 bytes, which was too large to fit in the token buffer of size %2 bytes, provided by process id %3.

The output SSPI token being too large is probably the result of the user %4 being a member of a large number of groups.

Increase the maximum token size, which in term is configured machine-wide via the following registry value: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\MaxTokenSize.

OK, I did this and it works, BUT my question is this:  This started erroring at 11:00AM yesterday.  NOTHING was changed for any people in any groups at all.  So the SID token, so to speak, should not have changed for ANY users.  Is there a way to find out exactly what changed at 11:00AM yesterday that would have caused the 12000 byte limit to the token size to be overmaxed causing this issue?  I have changed the MaxTokenSize to 65535 and the users affected are now working.  I had to change ALL servers that has some form of KDC authentication with this new parameter.  Without ANY changes being made what could have just "magically shoved it over the limit"?  I need to find this but no clue how to.  Any ideas?
Question by:JeffParton
    LVL 33

    Expert Comment

    Note The size of the user security token grows together with the number of groups to which the user belongs.
    LVL 33

    Expert Comment

    LVL 10

    Author Comment

    NJComputerNetworks, I figured out what causes the security token to grow.  In my question I noted that NO changes were made to any groups the users belong to in weeks, thus, no growth in security tokens was expected.  Then it just "stopped" working and errored.  I am trying to find out how to research what "straw broke the camels back" so to speak.  I am a little concerned that some sort of of virus has gotten in that I can't trace or detect, or whatever else may have happened.  "Something" made it start erroring, and all the things I can find point to group memberships, which HAS NOT changed.  Only 3 people have the ability to edit/add/delete group memberships and none of us changed anything.  I am curious if anyone knows of a way to find what specifically changed at 11:00 that initiated the error chain.

    In other words, I know what the error is and "what" has happened, I am trying to find a way to find out what "specific addition" caused the security token to grow beyond the limit.  Is there a way of backtracking to find "what change" in AD caused the change.
    LVL 33

    Accepted Solution

    In the
    (click Current Page to download the document)

    ...there are some trouble shooting steps... as well as log locations you can look to see if there were some changes (that maybe were introduced inadvertently) assuming that you had the proper auditing turned on.

    "Analyzing Tool Report Data            
    You can use the Group Membership Evaluation task of the Ntdsutil.exe tool to help you recover from an access token limitation problem, such as a user not being able to log on. The purpose of this task is to generate data that will help you identify the source of the problem.
    Best Practices      34
    Auditing Changes to Active Directory      34
    Monitoring Security Log Events      35
    Filtering for Security Events in Event Viewer      36
    Delegating Administration Tasks for Group Management      36

    Featured Post

    What Is Threat Intelligence?

    Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

    Join & Write a Comment

    Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now