TokenSize = 1200 + 40d + 8s
This formula uses the following values:

    d: The number of domain local groups a user is a member of plus the number of universal groups outside the user's account domain that the user is a member of plus the number of groups represented in security ID (SID) history.
    s: The number of security global groups that a user is a member of plus the number of universal groups in a user's account domain that the user is a member of.
    1200: The estimated value for ticket overhead. This value can vary, depending on factors such as DNS domain name length, client name, and other factors.

The Internet Information Server (IIS) uses a reduced request buffer size to mitigate a denial of service attack vector of 64 KB. However, a Kerberos Ticket in an HTTP request is encoded as Base64 (six bits expanded to eight bits). Additionally, and the Kerberos Ticket is using 133 percent of its original size. Therefore, when the maximum buffer size is 64 KB in IIS, 48 KB of a Kerberos Ticket can be used.

http://bit.ly/1MqcJmP

thanks David

I was hoping some sort of powershell command may be? it is difficult to get those values manually.

You could download tokensz from Microsoft which is the tool for discovering maxtokensize:

http://www.microsoft.com/en-us/download/details.aspx?id=1448

issue that user having is that she cannot browser in intranet site where every one else can.  she is receiving "web page cannot be found"  error. she can partially browse in the directory she wants. ( no additional permissions needed) this is standard intranet page that everyone has access to. My main focus is on her token size as she might be over the defaults?

Any suggestions please

thank you

As a test, add the following on her PC and reboot the PC:

- Go to Registry location System\CCS\Control\Lsa\Kerberos\Parameters (if key is not present then add it)
- Create value name MaxTokenSize with data type of REG_DWORD (if it exists then change value)
- Set value to Decimal 65535

Mohamed,

can you please tell me what values I'm looking to add or change ? I will need the values you mentioned. thanks

thanks mohammed, I will check this.

Is there any other suggestion to find out what token size is for a specific user? I found Microsoft tool to be very complex.

Any other suggestions please?

thanks

You could validate what the tokensize for the user is and then increase it on the users' computer by 400.  To calculate, run the command below:

tokensz /compute_tokensize

Tokensize is calculated as per below:

Tokensize = 1200 + 40d + 8s

d = Sum of universal groups outside of domain, domain local groups and number of groups represented in the SID history
s = Sum of the number of security global groups the user is member of as well as number of universal groups in user's account domain the user is a member of
1200 = Value for ticket overhead