troubleshooting Question

Kerberos MaxTokenSize and Security Groups

Avatar of John Babbitt
John BabbittFlag for United States of America asked on
Windows Server 2008Microsoft Server OS
11 Comments1 Solution3193 ViewsLast Modified:
One of our users have 500-600 security groups applied to him.  When he tries to log into our Citrix system, he gets an "access denied" error.  The problem turns out to be due to a limit on the default MaxTokenSize within Microsoft Windows Server 2008 R2.  This article explains how to adjust MaxTokenSize to 48000 (not 65535 as previously recommended):

http://blogs.technet.com/b/shanecothran/archive/2010/07/16/maxtokensize-and-kerberos-token-bloat.aspx

I did notice that it said Microsoft has hardcoded a limit of 1015 groups that a member can have.  I do have a question, though, thus, the reason for this post:  Does nested memberships count?  For example, say I have this structure:

SG for Group A
   Member of SG for Client A
   Member of SG for Client B
   Member of SG for Client C

User XYZ then becomes a member of SG for Group A.  For User XYZ, would that count as 1 SG or 4, i.e., including nested groups?

Otherwise, I need to control access in a different way if I can't use more than 1015 SGs.  Please advise.

Regards,

John Babbitt
Systems Administrator
Ashland Support Group
ASKER CERTIFIED SOLUTION
btanExec Consultant
Join our community to see this answer!
Unlock 1 Answer and 11 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 11 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros