A small issue that occurred and I'd like to share. Simple but
sometimes you need to read.
Issue:
A user was unable to connect to OCS with Office Communicator.
Symptoms:
Error message was: Cannot sign in to Communicator. You may have entered your sign-in
address, user name incorrectly, or the authentication service may be
incompatible with this version of the program. If your sign-in information is
correct and the problem persists, please contact your system administrator.
System Event log entry was:
The kerberos SSPI package generated an output token of size 12175 bytes, which was too large to fit in
the token buffer of size 12000 bytes, provided by process id 6492.
The output SSPI token being too large is
probably the result of the user blablabla@mpc.local being a member of a large number of
groups.
It is recommended to minimize the number of groups a user
belongs to. If the problem can not be corrected by reduction of the group
memberships of this user, please contact your system administrator to increase
the maximum token size, which in term is configured machine-wide via the
following registry value:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\MaxTokenSize.
Solution:
Reduce the number of groups to which the user belongs.
Explanation: The user is not able
to authenticate because the Kerberos token that is generated during
authentication attempts has a fixed maximum size. Transports such as remote
procedure call (RPC) and HTTP rely on the MaxTokenSize value when they allocate
buffers for authentication. In Windows 2000 (the original released version),
the MaxTokenSize value is 8,000 bytes. In Windows 2000 Service Pack 2 (SP2) and
Microsoft Windows Server 2003 and and still remains in Windows 7 and Windows
2008 R2, the MaxTokenSize value is 12,000 bytes.
If a user is a
member of more than 120 groups, the buffer that is determined by the
MaxTokenSize value is not large enough. As a result, users cannot authenticate,
and they may receive an "out of memory" error message.
This is why the
default value is not a hard limit, the maximum recommended configuration is
65535 bytes or 64k. It is recommended that you do not set the MaxTokenSize
greater than 65535 bytes or 64k. If you set the MaxTokenSize greater than 65535
bytes applications using Kerberos authentication could potentially fail.
If you want the
another solution for this same case is change the MaxTokenSize.
===========
New resolution for
problems with Kerberos authentication when users belong to many groups
http://support.microsoft.com/kb/327825
MaxTokenSize and
Kerberos Token Bloat
http://blogs.technet.com/b/shanecothran/archive/2010/07/16/maxtokensize-and-kerberos-token-bloat.aspx
No comments:
Post a Comment