Something that i always hate is when there is no update and a product stop’s working so i cannot do my work anymore.
In this case i (am forced to) use Internet Explorer to open up several intranet pages that allowed me to do my administration work.
The problem sums like this:
- Google, and everything else on “the internet” works seemless
- opening something internal just hang up IE8 for a couple of minutes and then just stop loading without an error
- Same in FireFox with IETab installed
- same in IE 7 + IE 8 64 bit and 32 bit
The solution is as easy as stupid:
In “Internet Options” -> “Security” the “Local Intranet” is set up with disabled “Protected Mode”.
Enabling it fixed the Problem instantly for IE8, IE7 and Firefox with IETab.
Windows 7 and Windows XP just give different errormessages for the same Problem, mainly when you are in MANY AD Groups (like me) and you want to work with that System:
Windows XP says most time:
“Not enough Storage is availible to Complete this command”
Windows 7 says:
“Naming information cannot be located because:
The system detected a possible attempt to compromise security.
Please ensure that you can contact the server that authenticated you.
Contact your system administrator to verify that your domain is properly configured and is currently online.”
Under Win7 even Outlook 2007 didn’t wanted to start!
Here is the detailed cause and solution to the Problem:
The user is not able to authenticate because the Kerberos token that is generated during authentication attempts has a fixed maximum size.
Transports such as remote procedure call (RPC) and HTTP rely on the MaxTokenSize value when they allocate buffers for authentication. In Windows 2000 (the original released version), the MaxTokenSize value is 8,000 bytes. In Windows 2000 Service Pack 2 (SP2) and Microsoft Windows Server 2003, the MaxTokenSize value is 12,000 bytes.
If a user is a member of more than 120 groups, the buffer that is determined by the MaxTokenSize value is not large enough. As a result, users cannot authenticate, and they may receive an “out of memory” error message. Before you apply the hotfix that is described in this article, every group that is added to a user account increases this buffer by 40 bytes.
NOTE: In many scenarios, Windows NTLM authentication works as expected; you may not see the Kerberos authentication problem without analysis. However, scenarios in which Group Policy settings are applied may not work as expected.
A registry parameter is available after you apply this hotfix that you can use to increase the Kerberos token size. For example, increasing the token size to 65 KB allows a user to be present in more than 900 groups. Because of the associated SID information, this number may vary.
To use this parameter:
- Start Registry Editor (Regedt32.exe).
- Locate and click the following key in the registry: HK_Local_Machine\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters*
- If this key is not present, create the key. To do so:
- Click the following key in the registry: System\CurrentControlSet\Control\Lsa\Kerberos
- On the Edit menu, click Add Key.
- Create a Parameters key.
- Click the new Parameters key.
- On the Edit menu, click Add Value, and then add the following registry value:
- Value name: MaxTokenSize
- Data type: REG_DWORD
- Radix: Decimal
- Value data: 65535
- Quit Registry Editor.
The default value for MaxTokenSize is 12000 decimal. We recommend that you set this value to 65535 decimal, FFFF hexadecimal. If you set this value incorrectly to 65535 hexadecimal (an extremely large value) Kerberos authentication operations may fail, and programs may return errors.