Hi All,

I need to know what the size of a user's token size as user is having some authentication issues in IIS ( just one user)
I noticed user is member of large nested groups in AD

What is the best way determining user's token size?  can you please provide step by step guide

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
TokenSize = 1200 + 40d + 8s
This formula uses the following values:

    d: The number of domain local groups a user is a member of plus the number of universal groups outside the user's account domain that the user is a member of plus the number of groups represented in security ID (SID) history.
    s: The number of security global groups that a user is a member of plus the number of universal groups in a user's account domain that the user is a member of.
    1200: The estimated value for ticket overhead. This value can vary, depending on factors such as DNS domain name length, client name, and other factors.

The Internet Information Server (IIS) uses a reduced request buffer size to mitigate a denial of service attack vector of 64 KB. However, a Kerberos Ticket in an HTTP request is encoded as Base64 (six bits expanded to eight bits). Additionally, and the Kerberos Ticket is using 133 percent of its original size. Therefore, when the maximum buffer size is 64 KB in IIS, 48 KB of a Kerberos Ticket can be used.
kuzumAuthor Commented:
thanks David

I was hoping some sort of powershell command may be? it is difficult to get those values manually.
Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
You could download tokensz from Microsoft which is the tool for discovering maxtokensize:
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

kuzumAuthor Commented:
issue that user having is that she cannot browser in intranet site where every one else can.  she is receiving "web page cannot be found"  error. she can partially browse in the directory she wants. ( no additional permissions needed) this is standard intranet page that everyone has access to. My main focus is on her token size as she might be over the defaults?

Any suggestions please

thank you
Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
As a test, add the following on her PC and reboot the PC:

- Go to Registry location System\CCS\Control\Lsa\Kerberos\Parameters (if key is not present then add it)
- Create value name MaxTokenSize with data type of REG_DWORD (if it exists then change value)
- Set value to Decimal 65535
kuzumAuthor Commented:

can you please tell me what values I'm looking to add or change ? I will need the values you mentioned. thanks
Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
If you see the value to 65535 (decimal) or ffff (hexadecimal) then that sets it to maximum possible token size.  With this setting you should not have any issues.  You need to create or change existing value name of "MaxTokenSize".  Refer to attached file for what it looks like in Registry.maxtokensize.png

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
kuzumAuthor Commented:
thanks mohammed, I will check this.

Is there any other suggestion to find out what token size is for a specific user? I found Microsoft tool to be very complex.

Any other suggestions please?

Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
You could validate what the tokensize for the user is and then increase it on the users' computer by 400.  To calculate, run the command below:

tokensz /compute_tokensize

Tokensize is calculated as per below:

Tokensize = 1200 + 40d + 8s

d = Sum of universal groups outside of domain, domain local groups and number of groups represented in the SID history
s = Sum of the number of security global groups the user is member of as well as number of universal groups in user's account domain the user is a member of
1200 = Value for ticket overhead
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.