2

I am having issues with a .net 2.0 web app hosted on a windows 2003 server authenticating with a java app (on linux I think). The java server is expecting Kerberos authentication and currently fails as the request is coming in with NTLM.

I had a look in the windows event viewer on the 2003 server and there are several Kerberos 6 messages, here is one of them:

The kerberos SSPI package generated an output token of size 3318 bytes, which was too large to fit in the 32AC buffer provided by process id 0.  If the condition persists, please contact your system administrator

I also had a look in the registry after finding an article that suggested adding a MaxTokenSize key to combat this problem to see if someone had mistakenly put one in with a small value, but there was nothing there.

Is there any other explanation as to why it would be saying a mere 3000 bytes is too big.

On a side note I checked the membership of the user in question and it only belongs to the domain users group.

JustinM
  • 123
  • 7

1 Answers1

4

The event is misleading, the numbers are in hex.

token of size 3318 bytes

13080 bytes, really.

in the 32AC buffer

12972 bytes, really - which matches decently with the configured default in Windows 2003 of 12000 bytes.

See here for more info - as you've found, adjusting the MaxTokenSize will do the job; also consider removing the account from some groups (takes a lot of memberships to get that big!) keeping an eye on nested group memberships, or changing group types (Domain Local take 40 bytes; Global only take 8).

Shane Madden
  • 112,982
  • 12
  • 174
  • 248
  • Thanks for the very informative answer, this is starting to make more sense. Any thoughts as to why the exact same setup may work fine from a different Win2003 server. – JustinM Sep 08 '14 at 21:01
  • @Phaeze Is it a different server on the same domain? – Shane Madden Sep 08 '14 at 21:01
  • Different domains. – JustinM Sep 08 '14 at 21:04
  • @Phaeze Ahh, ok - is the user account it's authenticating as something that's set up specifically for this application? The domain that's having the problem seemingly has the user configured as a member of a large number of groups (hundreds), while the one that's working does not. – Shane Madden Sep 08 '14 at 21:08
  • Yeah it is a process account specifically for this use, and it also is actually part of another domain, with that could the user still have different group memberships within the other two domains? – JustinM Sep 08 '14 at 21:11
  • @Phaeze I'm not sure I follow - is it a different user account in the different domains (just with the same name) or the same account being logged into in a different domain due to a trust? – Shane Madden Sep 08 '14 at 21:14
  • Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/17011/discussion-between-phaeze-and-shane-madden). – JustinM Sep 08 '14 at 21:14