Avatar of John Babbitt
John Babbitt
Flag for United States of America

asked on 

Kerberos MaxTokenSize and Security Groups

One of our users have 500-600 security groups applied to him.  When he tries to log into our Citrix system, he gets an "access denied" error.  The problem turns out to be due to a limit on the default MaxTokenSize within Microsoft Windows Server 2008 R2.  This article explains how to adjust MaxTokenSize to 48000 (not 65535 as previously recommended):


I did notice that it said Microsoft has hardcoded a limit of 1015 groups that a member can have.  I do have a question, though, thus, the reason for this post:  Does nested memberships count?  For example, say I have this structure:

SG for Group A
   Member of SG for Client A
   Member of SG for Client B
   Member of SG for Client C

User XYZ then becomes a member of SG for Group A.  For User XYZ, would that count as 1 SG or 4, i.e., including nested groups?

Otherwise, I need to control access in a different way if I can't use more than 1015 SGs.  Please advise.


John Babbitt
Systems Administrator
Ashland Support Group
Windows Server 2008Microsoft Server OS

Avatar of undefined
Last Comment

8/22/2022 - Mon