Windows 7 and Windows XP just give different errormessages for the same Problem, mainly when you are in MANY AD Groups (like me) and you want to work with that System:
Windows XP says most time:
“Not enough Storage is availible to Complete this command”
Windows 7 says:
“Naming information cannot be located because:
The system detected a possible attempt to compromise security.
Please ensure that you can contact the server that authenticated you.
Contact your system administrator to verify that your domain is properly configured and is currently online.”
Under Win7 even Outlook 2007 didn’t wanted to start!
Here is the detailed cause and solution to the Problem:
Cause: The user is not able to authenticate because the Kerberos token that is generated during authentication attempts has a fixed maximum size.
Transports such as remote procedure call (RPC) and HTTP rely on the MaxTokenSize value when they allocate buffers for authentication. In Windows 2000 (the original released version), the MaxTokenSize value is 8,000 bytes. In Windows 2000 Service Pack 2 (SP2) and Microsoft Windows Server 2003, the MaxTokenSize value is 12,000 bytes.
If a user is a member of more than 120 groups, the buffer that is determined by the MaxTokenSize value is not large enough. As a result, users cannot authenticate, and they may receive an “out of memory” error message. Before you apply the hotfix that is described in this article, every group that is added to a user account increases this buffer by 40 bytes.
NOTE: In many scenarios, Windows NTLM authentication works as expected; you may not see the Kerberos authentication problem without analysis. However, scenarios in which Group Policy settings are applied may not work as expected.
A registry parameter is available after you apply this hotfix that you can use to increase the Kerberos token size. For example, increasing the token size to 65 KB allows a user to be present in more than 900 groups. Because of the associated SID information, this number may vary.
To use this parameter:
Start Registry Editor (Regedt32.exe).
Locate and click the following key in the registry: HK_Local_Machine\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters*
If this key is not present, create the key. To do so:
Click the following key in the registry: System\CurrentControlSet\Control\Lsa\Kerberos
On the Edit menu, click Add Key.
Create a Parameters key.
Click the new Parameters key.
On the Edit menu, click Add Value, and then add the following registry value:
Value name: MaxTokenSize
Data type: REG_DWORD
Value data: 65535
Quit Registry Editor.
The default value for MaxTokenSize is 12000 decimal. We recommend that you set this value to 65535 decimal, FFFF hexadecimal. If you set this value incorrectly to 65535 hexadecimal (an extremely large value) Kerberos authentication operations may fail, and programs may return errors.