none
Weird Keberos token size problem

    Question

  • Hi,

    I read a lot about the Kerberos tokensize problem, but still can't solve our problem. We have a single domain environment running on Windows Server 2012.

    It started with users couldn't login to their systems, so we reduced the number of groups for each user and also changed the group scope of some of them.

    After this changes, all users were able to login again. At 5 users some weird problem remains:

    They can Login, but can't access Network shares, so we analyzed the network traffic and saw that the Kerberos token are still bigger than 12k.

    So I read through a lot of threads and checked if some of them mentioned conditions lead to the token size. No SID history for them, same groups as other user without this problem and the two Flags "trusted_for_delegation" and "trusted_for_auth_delegation" in the user account control are NOT checked( since they can lead to double of token size).

    Then I played a little bit around and the problem got weirder. If I enable the "not_delegated" flag for each of the 5 affected users, they can access the shares. If I remove it, they can't access the shares anymore again.

    Furthermore Citrix logs the tokensize of the users with ~6,5k if the not_delegated flag is enable and with 13k if it's disabled.

    I know that this flag prohibits, that another account can delegate this account and  that  theother two flags permits this account to delegate another one.

    My question is : What does the not_delegated flag Change in the Kerberos token? 

    What other settings can double the token size? 

    Why are the 5 users able to login but can't access the network shares?(with flag Not activated)

    How can I resolve the Problem without increasing the tokensize?

    Thanks and regards,

    Niko

    Friday, March 10, 2017 10:47 AM

All replies

  • Niko,

    any of the Kerberos authentication-related user account settings affect the size of the Kerberos token.

    You likely already are familiar with https://technet.microsoft.com/en-us/library/cc738673(v=ws.10).aspx - this will give you a summary of all computer and user object properties that are in this category.

    This does come into play when accessing network resources - such as network shares (from what I recall, this may be further amplified if these are part of a DFS namespace).

    In short you have two options - modifying user account properties (which you did) or increasing the token size.

    If your DCs are running WS 2012 or newer, you further benefit from the resource SID compression. More at https://blogs.technet.microsoft.com/askds/2012/09/12/maxtokensize-and-windows-8-and-windows-server-2012/

    hth
    Marcin

    Friday, March 10, 2017 12:20 PM
  • Thanks Marcin for your fast answer.

    I am already Family with the suggested links containing the Kerberos properties, but I am interested how those properties change the token size. Like trusted for delegation may double the size.

    Do you know if there is a list or reference where this information can be found? Since I calculated the size for the users with the Formular 1200+40d+8s which is mentioned on a mircosoft help site and got ~6,5k , something has to double the size to exceed the Limit of 12k.

    Maybe your are familiar with some documents which address this behavior?

    Thanks and regards

    Niko

    Friday, March 10, 2017 1:36 PM
  • Friday, March 10, 2017 3:24 PM
  • Hi Niko,

    Just checking in to see if the information provided was helpful. And if the replies as above are helpful, we would appreciate you to mark them as answers, please let us know if you would like further assistance.

    Best Regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, March 17, 2017 9:31 AM
    Moderator
  • I am sorry for the late reply.

    Yes I already tried this script, but it always replies ~6,5k while the access to the network shares is not working.

    I looked at the script in depth and saw that it only doubles the calculated size when the previous mentioned flags are set. But since they are not set, the calculated size is ~6,5k.

    As a note, while this script returns ~6,5K, Citrix logs the  the tokensize at the user login about ~13k, so there has to be another flag which doubles the size for the token.

    Maybe you have another hint how this can be solved.

    Regards Niko

    Monday, March 20, 2017 7:31 AM
  • Hi Niko
    As far as I know, the Kerberos token size could grow depending on the following facts:
    • Amount of direct and indirect (nested) group memberships.
    • Whether or not the user has a SID history, and if so, the number of entries.
    • Authentication method (username/password or multi-factor like Smart Cards).
    • The user is enabled for Kerberos delegation.
    • Local user rights assigned to the user.
    You could have a try to check from these aspect.
    In addition, based on my research, there is no such list or reference regarding what flag would double Kerberos token size, however, you could open up a case with Microsoft Technical Support to see if they could get more information from product team regarding this: https://support.microsoft.com/en-us/contactus/?ws=support
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, March 22, 2017 8:07 AM
    Moderator