Wednesday, February 8, 2012

Maximum Token Size (Kerberos)



There may be instances where the user has been granted all the required access for them to perform an administrative task. An example is as of below, they are unable to perform a straight forward tasks of switching to another DC.. (Error is as per the screenshot below).

At the first look, it may look like a "disk space" issue as it mentions in the error that "Not enough storage". However, it may be not as it appears superficially.

In this case, the root cause is that token size which the user is having. By default 12000 is the token size and if the size of the Kerberos token exceeds this, the access rights assigned to this user will not be fully granted which will affect the level of access the user is supposed to have.


To verify the token size, Microsoft has provided a tool, Tokensz, for this to be done and it can be downloaded from the link below

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=4a303fa5-cf20-43fb-9483-0f0b0dae265c&DisplayLang=en

The command to run the tool above with the sample output is as below

C:\TEMP\tokensz>tokensz.exe /compute_tokensize

Name: Kerberos Comment: Microsoft Kerberos V1.0
Current PackageInfo->MaxToken: 65535

Using user to user

QueryKeyInfo:
Signature algorithm = HMAC-SHA1-96
Encrypt algorithm = Kerberos AES256-CTS-HMAC-SHA1-96
KeySize = 256
Flags = 2083e
Signature Algorithm = 16
Encrypt Algorithm = 18
Start:10/30/2010 0:45:10
Expiry:10/30/2010 8:49:54
Current Time: 10/30/2010 0:45:10
MaxToken (complete context) 1640


Solution:


To overcome this, launch regedit on the machine affected and create a key "MaxTokenSize" in Dword format and enter the value "ffff" in Hex.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]

"MaxTokenSize"=dword:0000ffff

Restart the machine once its completed.

No comments:

Post a Comment