Link to home
Create AccountLog in
Avatar of kuzum

asked on


Hi All,

I need to know what the size of a user's token size as user is having some authentication issues in IIS ( just one user)
I noticed user is member of large nested groups in AD

What is the best way determining user's token size?  can you please provide step by step guide

Avatar of David Johnson, CD
David Johnson, CD
Flag of Canada image

TokenSize = 1200 + 40d + 8s
This formula uses the following values:

    d: The number of domain local groups a user is a member of plus the number of universal groups outside the user's account domain that the user is a member of plus the number of groups represented in security ID (SID) history.
    s: The number of security global groups that a user is a member of plus the number of universal groups in a user's account domain that the user is a member of.
    1200: The estimated value for ticket overhead. This value can vary, depending on factors such as DNS domain name length, client name, and other factors.

The Internet Information Server (IIS) uses a reduced request buffer size to mitigate a denial of service attack vector of 64 KB. However, a Kerberos Ticket in an HTTP request is encoded as Base64 (six bits expanded to eight bits). Additionally, and the Kerberos Ticket is using 133 percent of its original size. Therefore, when the maximum buffer size is 64 KB in IIS, 48 KB of a Kerberos Ticket can be used.
Avatar of kuzum


thanks David

I was hoping some sort of powershell command may be? it is difficult to get those values manually.
You could download tokensz from Microsoft which is the tool for discovering maxtokensize:
Avatar of kuzum


issue that user having is that she cannot browser in intranet site where every one else can.  she is receiving "web page cannot be found"  error. she can partially browse in the directory she wants. ( no additional permissions needed) this is standard intranet page that everyone has access to. My main focus is on her token size as she might be over the defaults?

Any suggestions please

thank you
As a test, add the following on her PC and reboot the PC:

- Go to Registry location System\CCS\Control\Lsa\Kerberos\Parameters (if key is not present then add it)
- Create value name MaxTokenSize with data type of REG_DWORD (if it exists then change value)
- Set value to Decimal 65535
Avatar of kuzum



can you please tell me what values I'm looking to add or change ? I will need the values you mentioned. thanks
Avatar of Mohammed Khawaja
Mohammed Khawaja
Flag of Canada image

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of kuzum


thanks mohammed, I will check this.

Is there any other suggestion to find out what token size is for a specific user? I found Microsoft tool to be very complex.

Any other suggestions please?

You could validate what the tokensize for the user is and then increase it on the users' computer by 400.  To calculate, run the command below:

tokensz /compute_tokensize

Tokensize is calculated as per below:

Tokensize = 1200 + 40d + 8s

d = Sum of universal groups outside of domain, domain local groups and number of groups represented in the SID history
s = Sum of the number of security global groups the user is member of as well as number of universal groups in user's account domain the user is a member of
1200 = Value for ticket overhead