Extending the MaxTokenSize - TechRepublic
General discussion
July 21, 2008 at 02:53 AM
jurjen t

Extending the MaxTokenSize

by jurjen t . Updated 17 years, 5 months ago

From the experience I gained during several Active Directory migrations I noticed the regular problems about the Kerberos MaxTokenSize. These centralization and consolidation projects tend to have a similar phenomenon: Growth of groups within the AD!

? The number of groups within the Microsoft Active Directory rises because the resources are published using the delegation Model. Applications used to be installed locally, but because of the migration every every single APP get?s a GG & LG.
? The number of groups within the Microsoft Active Directory rises because the data is migrated. The mess at the customer (resource domains, SID history, user delegation instead of using groups) is cleaned so new groups must be created.

At a certain point users are unable to log in and use their resources. By default, the MaxTokenSize is 12000k. The maximum number of groups for this buffersize is dependent on a few factors, but in general the limit can be reached around the 70-120 groups.

How do I know if I have this problem?

The MaxTokenSize for a domain, user or computer can be calculated using tokensz.exe. If you have logon and/or resource problems you are able to make a calculation:

Tokenz.exe can calculate the tokensize using the commands below:

Tokensz.exe /compute_tokensize /domain: Calculates the domain TokenSize & MaxTokenSize
Tokensz.exe /compute_tokensize /system: Calculates the system TokenSize & MaxTokenSize
Tokensz.exe /compute_tokensize /user: Calculates the user TokenSize & MaxTokenSize
Tokensz.exe /calc_groups Calculates the groups for a user, including nested groups.

How can I solve this problem?

The TokenSize update is nothing more than a reg key. Because it is recommended to change it for the entire domain, a GPO is the way to do it. This GPO can contain the following .adm file:

*************************
CLASS MACHINE
CATEGORY SYSTEM\CurrentControlSet\Control\Lsa\Kerberos
POLICY Parameters
KEYNAME SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
PART MaxTokenSize NUMERIC
VALUENAME “MaxTokenSize” MAX 65535
END PART
EXPLAIN “Adjusts the Kerberos MaxTokenSize issue. User that belong to too many groups have logon problems without this registry adjustment”
END POLICY
END CATEGORY
*************************
Microsoft recommends not to exceed the maxtokensize of 66535!

This discussion is locked

All Comments