MaxTokenSize and Kerberos Token Bloat

 

Overview of MaxTokenSize

The MaxTokenSize by default is 12,000 bytes. This has been the default value since Windows 2000 SP2 and still remains in Windows 7 and Windows 2008 R2. As company’s grow so do the groups within your organization.  If your Kerberos token becomes too big your users will receive error messages during login and applications that use Kerberos authentication will potentially fail as well.

 

 

  Updated Guidance and Recommendations: 

In the past we had guidance that stated you could increase the MaxTokenSize registry entry to 65535. But because of HTTP’s base64 encoding of authentication context tokens limits starting with Windows Server 2012, the default value of the MaxTokenSize registry entry is 48000 bytes. This is why we are recommending that you set the MaxTokenSize no larger than 48000 bytes on any OS version.

 

 

How to reduce Kerberos token bloat

To reduce the Kerberos Ticket Size you can:

  •  Reduce/consolidate group membership
  • Clean up SID History
  • Limit the number of users that are configured to use "trusted for delegation". The account that are configured to use "trusted for delegation" the buffer requirements for each SID may double.

 

How to prevent Kerberos login errors due to token bloat

  To allow a user to be a member of more than 900 groups you can increase the size of the MaxTokenSize by modify the following registry key on all workstations.

 To use this parameter:

  1. Start Registry Editor (Regedt32.exe).
  1. Locate and click the following key in the registry:
    System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
  1. If this key is not present, create the key. To do so:
    1. Click the following key in the registry:
      System\CurrentControlSet\Control\Lsa\Kerberos
    2. On the Edit menu, click Add Key.
    3. Create a Parameters key.
    4. Click the new Parameters key.
  1. On the Edit menu, click Add Value, and then add the following registry value:
    Value name: MaxTokenSize
    Data type: REG_DWORD
    Radix: Decimal
    Value data: 48000
  2. Quit Registry Editor.

 

 

However keep in mind there is a hard limit of 1,015 groups a user can be a member of. If a user tries to log into a computer by using a local or domain account and they are a member of more than 1,015 groups they will get this Logon Message: The system cannot log you on due to the following error: During a logon attempt, the user’s security context accumulated too many security IDs. Please try again or consult your system administrator.

 

How to use Group Policy to add the MaxTokenSize registry entry to multiple computers

https://support.microsoft.com/kb/938118/EN-US

New resolution for problems with Kerberos authentication when users belong to many groups
https://support.microsoft.com/kb/327825

"HTTP 400 - Bad Request (Request Header too long)" error in Internet Information Services (IIS)
https://support.microsoft.com/default.aspx?scid=kb;EN-US;2020943

Users who are members of more than 1,015 groups may fail logon authentication
https://support.microsoft.com/kb/328889/

Group Policy may not be applied to users belonging to many groups
https://support.microsoft.com/kb/263693/