Authentication Fails Due to User PAC
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
In certain scenarios when a user is a member of more than 70 groups, Kerberos authentication might fail. In order to provide the proper authorization information to a user after the user logs on with Kerberos authentication, the KDC will transmit Privilege Attribute Certificate (PAC) data in the ticket-granting ticket (TGT). The PAC contains various types of authorization data including groups that the user is a member of, rights the user has, and what policies apply to the user. When the client receives a ticket, the information contained in the PAC is used to generate the user’s access token.
In order to optimize performance, the buffer size for the PAC is pre-allocated. The pre-allocated buffer size is usually adequate to hold all the required authorization data. However, if a user has a very high group membership — from over 70 to over 120, depending on what groups — the size of the PAC might exceed the pre-allocated buffer size. In such a case, the system generates a memory allocation error, PAC creation fails, and the Kerberos ticket-granting service either fails to generate a valid ticket or generates a ticket with an empty PAC. This sort of error usually manifests itself in the form of a memory allocation error, which gets reported as "0x3C - KRB_ERR_GENERIC: Generic error." This also can result in the failure of clients to apply Group Policy settings.
You can use the following procedure on a Windows Server 2003-based computer to calculate the number of groups that a user is a member of by using the Kerberos Token Size (Tokensz.exe) tool.
To calculate the groups that a user belongs to by using the Tokensz.exe tool
Type the following at a command prompt:
tokensz /calc_groups ClientName **/user:**UserName **/domain:**UserDomain **/password:**ClientPassword /system
The following describes the parameters used with this command:
- /calc_groups This option is only available if you are using Windows Server 2003 KDCs and running the tool on a computer running Windows Server 2003. The parameter passed to this option is a user and (optionally) a domain that this user is a member of. Tokensz will list all the groups that this user is a member of.
- ClientName The user that you are listing the groups for
- ****/user:UserName The user name of an account with permission to query the group membership of the user.
- ****/domain:UserDomain The domain that the above account exists in.
- ****/password:ClientPassword The password that corresponds to the user account specified in the /user parameter.
- /system You must have administrator rights to use this switch, which runs the test under the Local System context of the computer that the test is being run on. In these cases, you must use the [**/user:UserName] [/domain:UserDomain] [/password:**ClientPassword] switches, because the tool will be running under the Local System context. This switch is useful to see what groups are present in the Local System logon context.
This command is available only if you are using Windows Server 2003 KDCs and running the tool on a computer running Windows Server 2003. The parameter passed to this option is a user and (optionally) a domain that this user is a member of. Tokensz.exe lists all the groups that this user is a member of.
You can solve this problem in two ways:
Reduce the number of groups that the user is a member of. Because nested groups are expanded out within the PAC, the actual number of groups that the user is a member of might be greater than you suspect.
Alternatively, install a hotfix that will enable you to set the maximum size of a Kerberos token by using the registry. For information about installing this hotfix, see New Resolution for Problems That Occur When Users Belong to Many Groups on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=23044).