Technical reference about Kerberos: http://technet.microsoft.com/en-us/library/cc739058(WS.10).aspx

White paper about Kerberos troubleshooting: http://www.microsoft.com/en-us/download/details.aspx?id=21820

Microsoft has published a tool called Tokensz: http://www.microsoft.com/download/en/details.aspx?id=1448

Microsoft has a detailed document about the token-bloat problem, Addressing Problems Due To Access Token Limitation: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=13749)

To step you through remediation on this MS whitepaper, we can read:

Several factors can affect the outcome of the token evaluation process, including the following: · Whether the token is issued for logon purposes or for resource access. · The groups that the principal is a member of, including direct and transitive memberships. · The types of groups involved. There are two types of groups in Active Directory: distribution groups and security groups. Distribution groups are not included in the principal’s token, but all security groups are included. All group scopes (universal, global, domain local, machine local, and built-in) are included in the token evaluation. · The functional level (for Windows Server 2003) or the domain mode (for Windows 2000 Server). The token evaluation process evaluates groups recursively. For example, if User A is a member of Group 1 and Group 1 is a member of Group 2, then a token generated for User A contains SIDs representing both Group 1 and Group 2. In native mode and higher domains, universal, global, and domain local groups are all evaluated recursively. Universal security groups do not exist in mixed mode domains.

MaxTokenSize and Token Bloat: http://blogs.technet.com/b/shanecothran/archive/2010/07/16/maxtokensize-and-kerberos-token-bloat.asp

http://markparris.co.uk/2013/05/07/maxtokensize-change-of-recommendation-from-microsoft/

 

Updated Guidance and Recommendations

In the past we had guidance that stated you could increase the MaxTokenSize registry entry to 65535. But because of HTTP’s base64 encoding of authentication context tokens limits starting with Windows Server 2012, the default value of the MaxTokenSize registry entry is 48000 bytes. This is why we are recommending that you set the MaxTokenSize no larger than 48000 bytes on any OS version.

How to reduce Kerberos token bloat

First read this very interesting article: https://dirteam.com/sander/2013/05/22/common-challenges-when-managing-active-directory-domain-services-part-2-unnecessary-complexity-and-token-bloat/

  • To reduce the Kerberos Ticket Size you can:
  • Reduce/consolidate group membership
  • Clean up SID History
  • Limit the number of users that are configured to use “trusted for delegation”. The account that are configured to use “trusted   for delegation” the buffer requirements for each SID may double.

To find and to remove SIDHistory:

Web resources:

http://blogs.technet.com/b/ashleymcglone/archive/2014/09/05/powershell-module-for-active-directory-sid-history-now-faster.aspx

Remove SIDhistory:

http://blogs.technet.com/b/ashleymcglone/archive/2011/11/23/how-to-remove-sid-history-with-powershell.aspx

SIDHistory powershell module: https://gallery.technet.microsoft.com/PowerShell-Module-for-08769c67

With AD cmdlets: https://technet.microsoft.com/en-us/library/powershell_remove_sid_history%28WS.10%29.aspx

 

Token Bloat known issues

How to use Group Policy to add the MaxTokenSize registry entry to multiple computers

http://support.microsoft.com/kb/938118/EN-US

New resolution for problems with Kerberos authentication when users belong to many groups
http://support.microsoft.com/kb/327825

“HTTP 400 – Bad Request (Request Header too long)” error in Internet Information Services (IIS)
http://support.microsoft.com/default.aspx?scid=kb;EN-US;2020943

Users who are members of more than 1,015 groups may fail logon authentication
http://support.microsoft.com/kb/328889/

Group Policy may not be applied to users belonging to many groups
http://support.microsoft.com/kb/263693/

 

Recommended settings for IIS and Apache

For HTTP (IIS):

Reference article: http://support.microsoft.com/kb/2020943

 

Default values

Value Default Maximum Comment
MaxFieldLength 16384 64 – 65534 (64k – 2) bytes Sets an upper limit for each header. See MaxRequestBytes. This limit translates to approximately 32k characters for a URL.
MaxRequestBytes 16384 256 – 16777216 (16MB) bytes Determines the upper limit for the total size of the Request line and the headers.
Its default setting is 16KB. If this value is lower than MaxFieldLength, the MaxFieldLength value is adjusted.

 

NOTE: If MaxFieldLength is configured to its maximum value of 64KB, then the MaxTokenSize registry value should be set to 3/4 * 64 = 48KB. For more information on the MaxTokenSize setting, please see the Microsoft knowledge base article KB327825 listed below.

Values recommended: 32768 for MaxFieldLength and MaxRequestBytes values

Note: those settings has been implemented on ADFS IIS servers typically etc.

 

  • For Apache Http:

 

#Limit Request to 32Kb because we encounter problem after migraiton GAD related to header limit size (IE only)
LimitRequestFieldSize 32768

<LocationMatch “(/upm/oauth_clients|/upm/oauth/authorize)” >
AuthType Kerberos
KrbAuthRealms MYDOMAIN.COM
KrbServiceName http
Krb5Keytab /etc/krb5.keytab
KrbMethodNegotiate on
KrbMethodK5Passwd on
require valid-user
</LocationMatch>

LoadModule auth_kerb_module /tools/httpd/current/modules/mod_auth_kerb.so

Note: those settings has been implemented on Apache servers etc.

 

 

 

 

System Event log Event ID 31 on domain controller

 

Reference technet: http://blogs.technet.com/b/askds/archive/2012/09/12/maxtokensize-and-windows-8-and-windows-server-2012.aspx

http://markparris.co.uk/2013/05/07/maxtokensize-change-of-recommendation-from-microsoft/

 

The Kerberos enhancements included in Windows 8 and Windows Server 2012 that specifically target large service ticket and MaxTokenSize scenarios. To summarize:

  • Increased default MaxTokenSize from 12k to 48k
  • New Group Policy setting to centrally manage MaxTokenSize
  • New Group Policy setting to write warnings to the system event log when a service ticket exceeds a designated threshold
  • New Resource SID compression to reduce the storage size of SIDs from the resource domain

 

 

 

 

 

 

Powershell Scripts

 

https://gallery.technet.microsoft.com/scriptcenter/Check-for-MaxTokenSize-520e51e5

http://www.jhouseconsulting.com/2013/12/20/script-to-create-a-kerberos-token-size-report-1041

 

  1. Using a powershell script to collect all Event ID 31 on all the domain controllers:

Modify the dclist.csv

Then from a powershell in admin mode: .\Dump-DC-KerberosEventID31.ps1

 

  1. Using a powershell script to make a assessment on a specific user samaccountname:

.\CheckMaxTokenSize -Principals <enter a samaccountname> -Details $true

i.e .\CheckMaxTokenSize -Principals jdalbera -Details $true

 

Event Viewer – Xpath query to search all event ID 31 last day:

 

<QueryList>

<Query Id=”0″ Path=”System”>

<Select Path=”System”>*[System[(Level=3) and (EventID=31) and TimeCreated[timediff(@SystemTime) &lt;= 86400000]]]</Select>

</Query>

</QueryList>