4

I had a user who has about 900 groups (some of them were nested so I suspect there was about 1000 groups) and he couldn't log in returning error stating that there are too much IDs. I have run a script to count his token size and it turned out to be about 24K. We have set a limit to be 64K. User had nothing in SID history as he was never migrated.

Script: https://gallery.technet.microsoft.com/scriptcenter/Check-for-MaxTokenSize-520e51e5

I have also read this articule: https://support.microsoft.com/en-us/help/327825/problems-with-kerberos-authentication-when-a-user-belongs-to-many-grou

But first it says that there is fixed number of groups per user, but then it says that if we set MaxTokenSize to 64K each user can have like 1600 Domain Local groups.

I just wonder what is the point of setting the MaxTokenSize while there is maximum number of AD groups allowed for user? I guess I'm missing something here

varrimatrass
  • 67
  • 5
  • Wow. What possible reason could there be for having so many groups? – joeqwerty Sep 30 '17 at 15:05
  • User was involved in some project and it required to create about 900 shared mailboxes and 2 access groups to each one.. Guess in how many groups user was for a minute. – varrimatrass Oct 01 '17 at 13:37

1 Answers1

3

If you had not set MaxTokenSize to 64K, you would have experienced the issues with fewer group memberships due to the default value is 12K (48K for Windows Server 2012 and later). I suspect you may be using an operating system earlier than Windows 2012 due to 2012 introduced a new event log warning that provides the exact token size for accounts with large group memberships.

If you had read KB327825, it states there is not a direct relationship between the number of groups and token size. The amount of memory required varies based on group type (Universal/Global/Local), if the group is in the same domain or another domain, domain name, client name, and if the ticket is used in delegation.

You haven't specified the exact number of groups, but the amount you estimated is way beyond any reasonable design. Whatever they are doing, it will need to be done with fewer groups.

https://dirteam.com/sander/2013/04/05/new-features-in-active-directory-domain-services-in-windows-server-2012-part-21-resource-sid-compression/

https://blogs.technet.microsoft.com/askds/2012/09/12/maxtokensize-and-windows-8-and-windows-server-2012/

Greg Askew
  • 34,339
  • 3
  • 52
  • 81
  • Got it. So just to be sure, number of groups is influencing token size, but if users is member of approximately 1010 groups user won't log in despite that token might be much below set Maxiumum value? – varrimatrass Oct 01 '17 at 13:53
  • It could be less than 1010 groups, and you really don't know the token size. The script you reference is not hyper-accurate, it is an estimate. The only way to know the exact token size is to use the "Warning for large Kerberos tickets" event in Windows 8/2012 and later. You may also want to confirm in which policy the MaxTokenSize value is being set, if it is actually being set on the computers, and specify your operating system platform. – Greg Askew Oct 01 '17 at 14:41
  • Ok, thank you very much. That helps me a lot! Cheers – varrimatrass Oct 02 '17 at 06:26