Windows 7, Windows XP and the strange Active Directory

September 17, 2009 at 14:04 (Windows) (, , , , )

Windows 7 and Windows XP just give different errormessages for the same Problem, mainly when you are in MANY AD Groups (like me) and you want to work with that System:

Windows XP says most time: 
“Not enough Storage is availible to Complete this command”

Windows 7 says:
 “Naming information cannot be located because:

The system detected a possible attempt to compromise security.
Please ensure that you can contact the server that authenticated you.
Contact your system administrator to verify that your domain is properly configured and is currently online.”

Under Win7 even Outlook 2007 didn’t wanted to start!

Win7 Kerberos Problem

Win7 Kerberos Problem

Here is the detailed cause and solution to the Problem:

Cause:
The user is not able to authenticate because the Kerberos token that is generated during authentication attempts has a fixed maximum size.

Transports such as remote procedure call (RPC) and HTTP rely on the MaxTokenSize value when they allocate buffers for authentication. In Windows 2000 (the original released version), the MaxTokenSize value is 8,000 bytes. In Windows 2000 Service Pack 2 (SP2) and Microsoft Windows Server 2003, the MaxTokenSize value is 12,000 bytes.

If a user is a member of more than 120 groups, the buffer that is determined by the MaxTokenSize value is not large enough. As a result, users cannot authenticate, and they may receive an “out of memory” error message. Before you apply the hotfix that is described in this article, every group that is added to a user account increases this buffer by 40 bytes.

NOTE: In many scenarios, Windows NTLM authentication works as expected; you may not see the Kerberos authentication problem without analysis. However, scenarios in which Group Policy settings are applied may not work as expected.

Solution:

A registry parameter is available after you apply this hotfix that you can use to increase the Kerberos token size. For example, increasing the token size to 65 KB allows a user to be present in more than 900 groups. Because of the associated SID information, this number may vary.

To use this parameter:

  1. Start Registry Editor (Regedt32.exe).
  2. Locate and click the following key in the registry: HK_Local_Machine\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters*
  3. If this key is not present, create the key. To do so:
    • Click the following key in the registry: System\CurrentControlSet\Control\Lsa\Kerberos
    • On the Edit menu, click Add Key.
    • Create a Parameters key.
    • Click the new Parameters key.
  4. On the Edit menu, click Add Value, and then add the following registry value:
    • Value name: MaxTokenSize
    • Data type: REG_DWORD
    • Radix: Decimal
    • Value data: 65535
  5. Quit Registry Editor.

The default value for MaxTokenSize is 12000 decimal. We recommend that you set this value to 65535 decimal, FFFF hexadecimal. If you set this value incorrectly to 65535 hexadecimal (an extremely large value) Kerberos authentication operations may fail, and programs may return errors.

Advertisements

3 Comments

  1. Didi said,

    helo there Heiko :) how are you doin’..

    it reminds me with the problem on Karawang some years ago :)

    • devbios said,

      Howdy didi!
      Thanks I’m fine ;)

      Yeah that was _exactly_ the problem we faced everywhere.

      LOL to M$ they couldn’t fix that automatically :)

  2. abrar said,

    awsome dude…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: