User unable to connect to OCS because token size was too large

Hello ALL,

A small issue that occurred and I'd like to share. Simple but sometimes you need to read.

 

Issue:

A user was unable to connect to OCS with Office Communicator.

Symptoms:

 Error message was: Cannot sign in to Communicator. You may have entered your sign-in address, user name incorrectly, or the authentication service may be incompatible with this version of the program. If your sign-in information is correct and the problem persists, please contact your system administrator.

System Event log entry was:

The kerberos SSPI package generated an output token of size 12175 bytes, which was too large to fit in the token buffer of size 12000 bytes, provided by process id 6492.

The output SSPI token being too large is probably the result of the user blablabla@mpc.local being a member of a large number of groups.

It is recommended to minimize the number of groups a user belongs to. If the problem can not be corrected by reduction of the group memberships of this user, please contact your system administrator to increase the maximum token size, which in term is configured machine-wide via the following registry value: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\MaxTokenSize.

Solution:

Reduce the number of groups to which the user belongs.

Explanation: The user is not able to authenticate because the Kerberos token that is generated during authentication attempts has a fixed maximum size. Transports such as remote procedure call (RPC) and HTTP rely on the MaxTokenSize value when they allocate buffers for authentication. In Windows 2000 (the original released version), the MaxTokenSize value is 8,000 bytes. In Windows 2000 Service Pack 2 (SP2) and Microsoft Windows Server 2003 and and still remains in Windows 7 and Windows 2008 R2, the MaxTokenSize value is 12,000 bytes.

If a user is a member of more than 120 groups, the buffer that is determined by the MaxTokenSize value is not large enough. As a result, users cannot authenticate, and they may receive an "out of memory" error message.

This is why the default value is not a hard limit, the maximum recommended configuration is 65535 bytes or 64k. It is recommended that you do not set the MaxTokenSize greater than 65535 bytes or 64k. If you set the MaxTokenSize greater than 65535 bytes applications using Kerberos authentication could potentially fail.

If you want the another solution for this same case is change the MaxTokenSize.

Articles Related
===========

New resolution for problems with Kerberos authentication when users belong to many groups

http://support.microsoft.com/kb/327825

MaxTokenSize and Kerberos Token Bloat

http://blogs.technet.com/b/shanecothran/archive/2010/07/16/maxtokensize-and-kerberos-token-bloat.aspx

VSS - Consuming Free Disk Space

ALL,


This is a simple post but it can helps sometimes due misunderstanding about VSS or due missing configuration VSS properly.




Symptom
============




The folder 'System Volume Information' has been consuming all free space under drive D:\ (it can happens in other drive letter like C:\, E:\) 





It's important always check all drivers you have on the Server to make sure where the VSS is configured.




Solution
==============


• Identified the Volume Shadow Copy was misconfigured and it's cause the lack of space.


Volume “D:\”  was configured with default VSS configured
Volume “C:\” hadn't any size limit configure properly and the Shadow Copy option was point to another volume "D:\" as the pic below:









• Shadow copy storage was set to D: drive from C:
• Configure the Size Limit properly and after that the Disk will release the free data again.




Articles Related 
================
  
This behavior usually happens on Windows Server 2003, Veritas Backup software is installed. In this case, Symantec has published an article with respect to this behavior and how to solve it.


http://www.symantec.com/business/support/index?page=content&id=TECH83223


Microsoft also published an article with the same procedures:
http://support.microsoft.com/kb/953617 - Disk space runs out on Windows Server 2003 based computers where Veritas backup is running


====================
Credits by Luciano Brena

Printing from a Legacy Application - using 'Dir' with LPT port fails

Another cool case that show us how Microsoft Windows editions works with SMB protocol.
Let's think about the whole scenario:
    - When try redirect printing to any LPT port results in ‘Access Denied’ .
   
    - Using the command “net use lpt1 \\computername\printername” to redirect the output from an legacy application to a network printer. This command was working fine under Windows 2003 in order to enable network printing from the DOS application. After migrating the Print Server for Windows 2008 based the CMD (DIR >LPT1) and DOS Legacy Application it's not working.
    - Message "Access Denied" and "Printer not Available".
   
<Solution>
    - Download Processor Monitor and executed on Print Server.
    - Analyze the Logs and found the following information:
   
    C:\Windows\system32\ntvdm.exe
    Date & Time:    23/11/2011 15:12:23
    Event Class:    File System
    Operation:    CreateFile
    Result:    ACCESS DENIED
    Path:    \\;LanmanRedirector\;LPT1:00000000000fb07e\abcdserver\epson\
    TID:    6872
    Duration:    0.0057445
    Desired Access:    Generic Write, Read Attributes
    Disposition:    OpenIf
    Options:    Synchronous IO Non-Alert, Non-Directory File
    Attributes:    N
    ShareMode:    Write
    AllocationSize:    0
   
   
    - To resolve the issue we need to change the way the Servers and Workstations communication with each other.
    - Since the Windows Vista, Microsoft upgrade this way to communication using the SMB version 2.
   
    Server Message Blocks Protocol (SMB) is the file sharing protocol used by default on Windows-based computers. SMB 1.0 was designed for early Windows operating systems , but until Windows Server 2008 and Vista.
    SMB 2.0 was introduced in Windows Vista and Windows Server 2008. SMB 2.0 is designed for the needs of the next generation of file servers. Windows Server 2008 R2 and Windows Vista and Windows7 support both SMB 1.0 and SMB 2.0 in order to preserve backward compatibility.
   
    Here's how SMB is used when related to SMB versions:
        ○ When a Windows Server 2008/Vista "client" connects to a Windows Server 2008/Vista "server", SMB 2.0 is used.
        ○ When a Windows Server 2008/Vista "client" connects to a Windows 2000/XP/2003 "server", SMB 1.0 is used.        ○ When a Windows 2000/XP/2003 "client" connects to a Windows Server 2008/Vista "server", SMB 1.0 is used.
        ○ When a Windows 2000/XP/2003 "client" connects to a Windows 2000/XP/2003 "server", SMB 1.0 is used.
   
   
    - OK. Now the solution:
    - Using the Regedit to disable SMB2 on the server (I used this one).
        1.Run "regedit" on Windows Server 2008 based computer.
        2.Expand and locate the sub tree as follows.
        HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters
       
        3.Add a new REG_DWORD key with the name of "Smb2" (without quotation mark)
        Value name: Smb2
        Value type: REG_DWORD
            0 = disabled
            1 = enabled
       
        4.Set the value to 0 to disable SMB 2.0, or set it to 1 to re-enable SMB 2.0.
       
        5.Reboot the server.
       
    - Restarted Services ["Server" "Printer Spooler" "Workstation"] . I prefer restart the server (but sometimes customer cannot).
    - Get a new ProcMon and no access denied or \\;LanmanRedirector logs found.
    - Tested DIR >LPT1 = OK
    - Tested on application and works.

How to restore deleted Printers

Hello Everyone!

I worked in one issue that can happen to everyone and understand how to restore/rollback the situation to original state can save your neck.
For some reason there was a single Print Server with many Printers configured and by mistake these printers were deleted accidentally. Now we need to know to rollback these Printers to server.
In this scenario we've a Windows Server 2003.

Actions Taken
==============

    - If for some miracle you've the PrintMig backup of this Print Server, use it now and restore the Printers.
    - If not so we will need the Backup.
    - Checked the full backup of this server.
    - Depending the Backup Solution you will need to double check the way to restore the following folders and files:
    - The restore must contains the system state, system service and, C:\windows\system32\config
    - Finished the Backup Restore Process and restart the Server.
    - After restarting all Printers will be available again! And your neck is safe now :)

Solution
============
    - The solution is: BACKUP ALWAYS!

Slowness to Logon on citrix/terminal services environment

SYMPTOM
=======

On Windows Server 2003 the logon process is extremely slowness. The process to logon is around 15-20minutes.
After logging there isn't any issue with application or performance. Just during the process.

ENVIRONMENT
===========
Windows Server 2003 ENT SP2 (x64) – 16 GB RAM
Applications: Citrix Metaframe 4.5

SOLUTION
========

1. The First action to solve the issue is getting the "userenv.log". If it log "userenv.log" is not enabled please use the article http://support.microsoft.com/kb/221833 to do that. "How to enable user environment debug logging in retail builds of Windows"


2. For this case we could find some tips and information really important.
3. GPO starts at 13:00:04
4. And finished at 13:27:20 and then still loading others policies. If you enable Userenv logging on the problem server, it shows a delay related to Resultant Set of Policy (RSoP). Check the logs below:
------------------
USERENV(615c.4c80) 13:00:04:767 AllocAdmFileInfo: Adding File name <\\XYZ.domain.com\SysVol\XYZ.domain.com\Policies\{982E46A9-9CDE-45D9-B52B-E75BF7B682E8}\Adm\conf.adm> to the Adm list.
USERENV(615c.4c80) 13:00:04:767 AllocAdmFileInfo: Adding File name <\\XYZ.domain.com\SysVol\XYZ.domain.com\Policies\{982E46A9-9CDE-45D9-B52B-E75BF7B682E8}\Adm\inetres.adm> to the Adm list.
USERENV(615c.4c80) 13:00:04:767 AllocAdmFileInfo: Adding File name <\\XYZ.domain.com\SysVol\XYZ.domain.com\Policies\{982E46A9-9CDE-45D9-B52B-E75BF7B682E8}\Adm\system.adm> to the Adm list.
USERENV(615c.4c80) 13:00:04:767 AllocAdmFileInfo: Adding File name <\\XYZ.domain.com\SysVol\XYZ.domain.com\Policies\{982E46A9-9CDE-45D9-B52B-E75BF7B682E8}\Adm\wmplayer.adm> to the Adm list.
USERENV(615c.4c80) 13:00:04:767 AllocAdmFileInfo: Adding File name <\\XYZ.domain.com\SysVol\XYZ.domain.com\Policies\{982E46A9-9CDE-45D9-B52B-E75BF7B682E8}\Adm\wuau.adm> to the Adm list.
------------------

------------------
USERENV(615c.4c80) 13:27:20:218 LogRegistry RsopData: Successfully logged registry Rsop data
USERENV(615c.4c80) 13:27:37:312 CAdmFileLogger::Log: Logging \\XYZ.domain.com\SysVol\XYZ.domain.com\Policies\{982E46A9-9CDE-45D9-B52B-E75BF7B682E8}\Adm\wuau.adm
USERENV(615c.4c80) 13:27:38:124 CAdmFileLogger::Log: Logging \\XYZ.domain.com\SysVol\XYZ.domain.com\Policies\{982E46A9-9CDE-45D9-B52B-E75BF7B682E8}\Adm\wmplayer.adm
USERENV(615c.4c80) 13:27:38:187 CAdmFileLogger::Log: Logging \\XYZ.domain.com\SysVol\XYZ.domain.com\Policies\{982E46A9-9CDE-45D9-B52B-E75BF7B682E8}\Adm\system.adm
USERENV(615c.4c80) 13:27:38:265 CAdmFileLogger::Log: Logging \\XYZ.domain.com\SysVol\XYZ.domain.com\Policies\{982E46A9-9CDE-45D9-B52B-E75BF7B682E8}\Adm\inetres.adm
USERENV(615c.4c80) 13:27:40:671 CAdmFileLogger::Log: Logging \\XYZ.domain.com\SysVol\XYZ.domain.com\Policies\{982E46A9-9CDE-45D9-B52B-E75BF7B682E8}\Adm\conf.adm
USERENV(615c.4c80) 13:27:43:421 CAdmFileLogger::Log: Logging \\BRCAKP5500WAP\admin$\System32\GroupPolicy\Adm\wuau.adm
USERENV(615c.4c80) 13:27:43:577 CAdmFileLogger::Log: Logging \\BRCAKP5500WAP\admin$\System32\GroupPolicy\Adm\word11.adm
USERENV(615c.4c80) 13:27:45:421 CAdmFileLogger::Log: Logging \\BRCAKP5500WAP\admin$\System32\GroupPolicy\Adm\wmplayer.adm
USERENV(615c.4c80) 13:27:45:484 CAdmFileLogger::Log: Logging \\BRCAKP5500WAP\admin$\System32\GroupPolicy\Adm\system.adm
USERENV(615c.4c80) 13:27:45:609 CAdmFileLogger::Log: Logging \\BRCAKP5500WAP\admin$\System32\GroupPolicy\Adm\ppt11.adm
USERENV(615c.4c80) 13:27:47:359 CAdmFileLogger::Log: Logging \\BRCAKP5500WAP\admin$\System32\GroupPolicy\Adm\office11.adm
USERENV(615c.4c80) 13:27:47:453 CAdmFileLogger::Log: Logging \\BRCAKP5500WAP\admin$\System32\GroupPolicy\Adm\inetres.adm
USERENV(615c.4c80) 13:27:49:187 CAdmFileLogger::Log: Logging \\BRCAKP5500WAP\admin$\System32\GroupPolicy\Adm\excel11.adm
USERENV(615c.4c80) 13:27:49:343 CAdmFileLogger::Log: Logging \\BRCAKP5500WAP\admin$\System32\GroupPolicy\Adm\conf.adm
USERENV(615c.4c80) 13:27:51:343 LogAdmRsopData: Successfully logged Adm data
------------------

5. This issue may occur if RSoP logging is enabled and there is a large WMI repository on the problem server.
6. "The WMI repository is located at the following location: %windir%\System32\Wbem\Repository
RSoP uses the CIMOM database through WMI. When a computer logs on to a network, information such as the computer hardware, Group Policy Software Installation settings, Internet Explorer Maintenance settings, Scripts, Folder Redirection settings, and Security Settings, are written to the CIMOM database. When you start RSoP in logging mode, RSoP reports policy settings that have been applied using the information provided in the CIMOM database."
7. To fix create the Dword value following:
"HKLM\Software\Policies\Microsoft\Windows\System"
Create a new DOWRD "RSoPLogging = HEX 0"

Articles Used
=============
http://support.microsoft.com/kb/2020286
http://technet.microsoft.com/en-us/library/cc783154(WS.10).aspx

Cluster Member Win2K3 Cannot Join on the Cluster Admin

SYMPTOM:
=========
Node "XYZ01" cannot finish the Join on Windows Server 2003 Cluster Environment.
When try starts the Cluster Service on Cluadmin the message error "Could not start cluster service on XYZ01 ERROR 1067: The process terminated unexpectedly".


Environment:
=========
Two node Failover Cluster
Node OS Version --- Build 3790 Windows Enterprise Server 2003
Node Service Pack - Service Pack 2
The Quorum Drive -- Q:\MSCS\
The Quorum Reset Value is -- 4096 KB

Cluster Networks
PRIVATIVA-01 Private Only 255.255.255.0
Local Area Connection(2) All Comm 255.255.224.0

Cluster Networks Priority
PRIVATIVA-01
Local Area Connection(2)

Solution:
==========
For this issue the solution was related to Hotfixes KB968389 and KB975467.

http://support.microsoft.com/kb/975467:
" If you install update 968389 before you apply this security update, you are offered this update to address the vulnerability on your computer. If you install update 968389 after you apply this security update, you will be offered only update 968389 for installation. However, this security update does contain the update to address this security vulnerability. Upon successful installation, both "Extended Protection for Authentication (KB968389)" and this security update are listed as installed software."

To solve the issue you should use the http://support.microsoft.com/kb/968389 and choose the "LET ME FIX".

An simple example about how the hotfixes should be installed

XYZ01 ------------
10/21/2010 9:38:16 AM Information XYZ01 4377 NtServicePack CORP\xyzuser Windows Server 2003 Hotfix KB968389 was installed.
2/6/2010 Windows Server 2003 Hotfix KB975467 was installed.
8/17/2009 Update for Windows Server 2003 x64 Edition (KB968389).


KB
========================
http://support.microsoft.com/kb/975467
http://support.microsoft.com/kb/968389


Explanation about the Case/Scenario:
====================================
Although this solution looks like really simple, this scenario and complexity was too hard to find this solution.
I really recommend if you saw something similar to try the "Best Practices" for Cluster Windows 2003 at the first action.