Search This Blog

Feb 14, 2012

User unable to connect to OCS because token size was too large

Hello ALL,

A small issue that occurred and I'd like to share. Simple but sometimes you need to read.
 

Issue:

A user was unable to connect to OCS with Office Communicator.

Symptoms:

 Error message was: Cannot sign in to Communicator. You may have entered your sign-in address, user name incorrectly, or the authentication service may be incompatible with this version of the program. If your sign-in information is correct and the problem persists, please contact your system administrator.

System Event log entry was:

The kerberos SSPI package generated an output token of size 12175 bytes, which was too large to fit in the token buffer of size 12000 bytes, provided by process id 6492.

The output SSPI token being too large is probably the result of the user blablabla@mpc.local being a member of a large number of groups.

It is recommended to minimize the number of groups a user belongs to. If the problem can not be corrected by reduction of the group memberships of this user, please contact your system administrator to increase the maximum token size, which in term is configured machine-wide via the following registry value: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\MaxTokenSize.



Solution:
Reduce the number of groups to which the user belongs.

Explanation: The user is not able to authenticate because the Kerberos token that is generated during authentication attempts has a fixed maximum size. Transports such as remote procedure call (RPC) and HTTP rely on the MaxTokenSize value when they allocate buffers for authentication. In Windows 2000 (the original released version), the MaxTokenSize value is 8,000 bytes. In Windows 2000 Service Pack 2 (SP2) and Microsoft Windows Server 2003 and and still remains in Windows 7 and Windows 2008 R2, the MaxTokenSize value is 12,000 bytes.

If a user is a member of more than 120 groups, the buffer that is determined by the MaxTokenSize value is not large enough. As a result, users cannot authenticate, and they may receive an "out of memory" error message.

This is why the default value is not a hard limit, the maximum recommended configuration is 65535 bytes or 64k. It is recommended that you do not set the MaxTokenSize greater than 65535 bytes or 64k. If you set the MaxTokenSize greater than 65535 bytes applications using Kerberos authentication could potentially fail.

If you want the another solution for this same case is change the MaxTokenSize.


Articles Related
===========

New resolution for problems with Kerberos authentication when users belong to many groups
http://support.microsoft.com/kb/327825

MaxTokenSize and Kerberos Token Bloat
http://blogs.technet.com/b/shanecothran/archive/2010/07/16/maxtokensize-and-kerberos-token-bloat.aspx


No comments:

Post a Comment