TokenSize = 1200 + 40d + 8s
This formula uses the following values:
d: The number of domain local groups a user is a member of plus the number of universal groups outside the user's account domain that the user is a member of plus the number of groups represented in security ID (SID) history.
s: The number of security global groups that a user is a member of plus the number of universal groups in a user's account domain that the user is a member of.
1200: The estimated value for ticket overhead. This value can vary, depending on factors such as DNS domain name length, client name, and other factors.
The Internet Information Server (IIS) uses a reduced request buffer size to mitigate a denial of service attack vector of 64 KB. However, a Kerberos Ticket in an HTTP request is encoded as Base64 (six bits expanded to eight bits). Additionally, and the Kerberos Ticket is using 133 percent of its original size. Therefore, when the maximum buffer size is 64 KB in IIS, 48 KB of a Kerberos Ticket can be used.
© 1996-2023 Experts Exchange, LLC. All rights reserved. Covered by US Patent