AD groups vs Kerberos Token size RRS feed

  • Question

  • I'm struggling with 2 articules. There is this one:

    Which says that "Security principals (that is, user, group, and computer accounts) can be members of a maximum of approximately 1,015 groups"

    And this articule:

    About token size. In my environment I have a user which has about 1000 groups, and he is not able to log in, but when I counted token size it is way lower than 64kB (64kB is a size set for all machines). I understand that number of groups is preventing user to log in, but what for is kerberos token size, if despite increaing it's limit we are still limited to have like 1000 AD groups? 

    Friday, September 29, 2017 12:48 PM

All replies

  • There is 2 limits:

    - Kerberos Token size

    - Access token (Group Membership)

    Kerberos TokenSize

    The MaxTokenSize value should not be set with a higher value of 64K (0x0000FFFF).  With Windows 2012 and later, Microsoft has changed the default value of the MaxTokenSize to 48K because of the HTTP header.  Kerberos ticket in a HTTP request is encode as Base64.

    If you set the MaxTokenSize with a value higher that 48K may cause issue with HTTP request with Kerberos authentication.

    Access Token

    There is a limit of a 1015 (or 1010) groups a user should be member of.  If you have a user which is member of more than 1015 groups, the user may receive an error like "STATUS_TOO_MANY_CONTEXT_IDS".

    AFAIK, both limits cannot be changed.  The access token limit and the Kerberos Token Size has never changed since Windows 2000.  The only thing that changed is the default value of the MaxTokenSize

    If i remember...
    Windows 2000 SP2 --> 2008 R2: 12K
    Windows 2012+ --> 48K



    This posting is provided AS IS without warranty of any kind

    Friday, September 29, 2017 1:18 PM
  • See these two kb articles for detail:

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Friday, September 29, 2017 1:42 PM
  • First of all thanks for your reply, appreciate it.

    So counting token size when user has over 1010 or 1015 groups is irrelevant?

    What would user do to reach for example 48K of token size? Since AD groups limit is about 1000? I know that domain migration is also included in token size, but I don't think this can be also so big.

    Thanks again!

    Friday, September 29, 2017 1:45 PM
  • I have read those articules but it raise more question to be honest. There is a statmenet as:

    "The Local Security Authority (LSA) service generates the user Access Token from this SID buffer. The hard-coded limit of customer definable SIDs for this token is 1,015"

    Which seems resonable but below is:

    "Therefore, if you have a MaxTokenSize value of 0x0000FFFF (64K), you may be able to buffer approximately 1600 Domain Local Group SIDs or approximately 8000 Domain Global/Universal Group SIDs" 

    And I have MaxTokenSize set to be 64K, but when user is a member of 1000 groups the issue with too much IDs persists.

    Friday, September 29, 2017 6:39 PM
  • I already had issues in the past with accounts that were member of around 1000 groups but only with several applications.  The windows login was working but SQL authentication was failing.

    The only way to fix it was to reduce the number of group membership.

    Have you already looked at the possibility to reduce the number of groups for this specific user ?

    This posting is provided AS IS without warranty of any kind

    Friday, September 29, 2017 6:55 PM
  • I think this might be the only solution but still, but I'm just wondering what is the point of setting MaxTokenSize if being member of 1000 AD groups makes it impossible to log in

    Friday, September 29, 2017 8:12 PM
  • I believe it is this way: The size (in kb) it takes to store a list of your 1000+ AD group memberships varies according to the size of your group names. Before WS2012, you risked hitting the 12k size limit of the Access Token before reaching the 1024 number-of-elements-in-an-array-limit of the array-property holding the list of groups. This could be the case if you had very long group names.

    So to fix that, MaxTokenSize was increased from 12k to 48k. That made sure you had enough space (in kb) in your token to store the list (array) of group names, without hitting the token size limit. However, the array representing that list, is still hard coded to have a maximum size of 1024 elements or something, of which 1015 of them are available to your own groups (I believe 9-or-something slots in the array are defaults you cannot change). 

    Probably, increasing the size of (number of elements supported by) the array representing that list would break something in Kerberos? Or would make it extremely inefficient? I'm only guessing. 

    Monday, April 29, 2019 1:27 PM
  • The array is not of group names, but of the objectSID values of the groups. It includes all security groups that the user is a member of, including due to group nesting and including the "primary" group of the user (generally the "Domain Users" group).

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Monday, April 29, 2019 3:21 PM