locked
Kerberos token large size differences with same user, same domain, same etype, but different services RRS feed

  • Question

  • We have two different services (both MOSS 2007 farms) using kerberos for authentication and we have found that the kerberos token size is about twice the size in one farm, half the size in the other.  AFAIK, the token should be the same data if it is the same user (and it is) so the only thing I could think of to maybe change the size would be encryption type.  Near as I can see, the etypes are the same (RSADSI RC4 HMAC).

    We have verified (using netmon and klist) that kerberos authentication is used on each farm.  We used fiddler2 to get the token from the request header so we could compare them.

    The customer problem we are working when we found this was a problem with Excel web parts causing the request header to exceed default size limits.  Each Excel web part is putting a cookie in the header and it is putting the kerb token in the header.  Because kerb tokens can be big (ours are, we have a lot of group memberships) this can cause header bloat to run up quickly.  We would visit a page with say, three excel web parts on it, then go to a page with two, then go to a page with one.  Then a page with one more.  The last page would not load the excel web part and the next sharepoint page you would try to visit would fail with the error being that the request header was too large.  You would have a new cookie for each web part you visited.

    When we tried to duplicate the problem on the dev server we could not do so.  In prod, you would crash after 5 or 6 cookies accumulated.  Dev would happily truck along with 8 or 9 cookies in the header and no problems.  This led to us looking at the headers in more detail and finding the main difference was the size of token on the dev server was about half the size on prod.

    It should be the same size!  Of course we would prefer it to be the smaller size.

    Thursday, March 31, 2011 2:58 PM

Answers

  • Found the difference.  The dev MOSS farm is not set up for delegation.  The production farm is set up for delegation.  When a service ticket is delegatable, it is bigger.  How much bigger.  For the account we are testing with, about twice as big.

    Thursday, March 31, 2011 5:39 PM

All replies