Help with Active Directory token size.
Posted on 2009-12-17
The kerberos SSPI package generated an output token of size %1 bytes, which was too large to fit in the token buffer of size %2 bytes, provided by process id %3.
The output SSPI token being too large is probably the result of the user %4 being a member of a large number of groups.
Increase the maximum token size, which in term is configured machine-wide via the following registry value: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\MaxTokenSize.
OK, I did this and it works, BUT my question is this: This started erroring at 11:00AM yesterday. NOTHING was changed for any people in any groups at all. So the SID token, so to speak, should not have changed for ANY users. Is there a way to find out exactly what changed at 11:00AM yesterday that would have caused the 12000 byte limit to the token size to be overmaxed causing this issue? I have changed the MaxTokenSize to 65535 and the users affected are now working. I had to change ALL servers that has some form of KDC authentication with this new parameter. Without ANY changes being made what could have just "magically shoved it over the limit"? I need to find this but no clue how to. Any ideas?