Kerberos Token and Max Token Size – Group membership limits

Technical reference about Kerberos:

White paper about Kerberos troubleshooting:

Microsoft has published a tool called Tokensz:

Microsoft has a detailed document about the token-bloat problem, Addressing Problems Due To Access Token Limitation:

To step you through remediation on this MS whitepaper, we can read:

Several factors can affect the outcome of the token evaluation process, including the following: · Whether the token is issued for logon purposes or for resource access. · The groups that the principal is a member of, including direct and transitive memberships. · The types of groups involved. There are two types of groups in Active Directory: distribution groups and security groups. Distribution groups are not included in the principal’s token, but all security groups are included. All group scopes (universal, global, domain local, machine local, and built-in) are included in the token evaluation. · The functional level (for Windows Server 2003) or the domain mode (for Windows 2000 Server). The token evaluation process evaluates groups recursively. For example, if User A is a member of Group 1 and Group 1 is a member of Group 2, then a token generated for User A contains SIDs representing both Group 1 and Group 2. In native mode and higher domains, universal, global, and domain local groups are all evaluated recursively. Universal security groups do not exist in mixed mode domains.

MaxTokenSize and Token Bloat:


Updated Guidance and Recommendations

In the past we had guidance that stated you could increase the MaxTokenSize registry entry to 65535. But because of HTTP’s base64 encoding of authentication context tokens limits starting with Windows Server 2012, the default value of the MaxTokenSize registry entry is 48000 bytes. This is why we are recommending that you set the MaxTokenSize no larger than 48000 bytes on any OS version.

How to reduce Kerberos token bloat

First read this very interesting article:

  • To reduce the Kerberos Ticket Size you can:
  • Reduce/consolidate group membership
  • Clean up SID History
  • Limit the number of users that are configured to use “trusted for delegation”. The account that are configured to use “trusted   for delegation” the buffer requirements for each SID may double.

To find and to remove SIDHistory:

Web resources:

Remove SIDhistory:

SIDHistory powershell module:

With AD cmdlets:


Token Bloat known issues

How to use Group Policy to add the MaxTokenSize registry entry to multiple computers

New resolution for problems with Kerberos authentication when users belong to many groups

“HTTP 400 – Bad Request (Request Header too long)” error in Internet Information Services (IIS);EN-US;2020943

Users who are members of more than 1,015 groups may fail logon authentication

Group Policy may not be applied to users belonging to many groups


Recommended settings for IIS and Apache


Reference article:


Default values

Value Default Maximum Comment
MaxFieldLength 16384 64 – 65534 (64k – 2) bytes Sets an upper limit for each header. See MaxRequestBytes. This limit translates to approximately 32k characters for a URL.
MaxRequestBytes 16384 256 – 16777216 (16MB) bytes Determines the upper limit for the total size of the Request line and the headers.
Its default setting is 16KB. If this value is lower than MaxFieldLength, the MaxFieldLength value is adjusted.


NOTE: If MaxFieldLength is configured to its maximum value of 64KB, then the MaxTokenSize registry value should be set to 3/4 * 64 = 48KB. For more information on the MaxTokenSize setting, please see the Microsoft knowledge base article KB327825 listed below.

Values recommended: 32768 for MaxFieldLength and MaxRequestBytes values

Note: those settings has been implemented on ADFS IIS servers typically etc.


  • For Apache Http:


#Limit Request to 32Kb because we encounter problem after migraiton GAD related to header limit size (IE only)
LimitRequestFieldSize 32768

<LocationMatch “(/upm/oauth_clients|/upm/oauth/authorize)” >
AuthType Kerberos
KrbServiceName http
Krb5Keytab /etc/krb5.keytab
KrbMethodNegotiate on
KrbMethodK5Passwd on
require valid-user

LoadModule auth_kerb_module /tools/httpd/current/modules/

Note: those settings has been implemented on Apache servers etc.





System Event log Event ID 31 on domain controller


Reference technet:


The Kerberos enhancements included in Windows 8 and Windows Server 2012 that specifically target large service ticket and MaxTokenSize scenarios. To summarize:

  • Increased default MaxTokenSize from 12k to 48k
  • New Group Policy setting to centrally manage MaxTokenSize
  • New Group Policy setting to write warnings to the system event log when a service ticket exceeds a designated threshold
  • New Resource SID compression to reduce the storage size of SIDs from the resource domain







Powershell Scripts


  1. Using a powershell script to collect all Event ID 31 on all the domain controllers:

Modify the dclist.csv

Then from a powershell in admin mode: .\Dump-DC-KerberosEventID31.ps1


  1. Using a powershell script to make a assessment on a specific user samaccountname:

.\CheckMaxTokenSize -Principals <enter a samaccountname> -Details $true

i.e .\CheckMaxTokenSize -Principals jdalbera -Details $true


Event Viewer – Xpath query to search all event ID 31 last day:



<Query Id=”0″ Path=”System”>

<Select Path=”System”>*[System[(Level=3) and (EventID=31) and TimeCreated[timediff(@SystemTime) &lt;= 86400000]]]</Select>



Published by jdalbera

IT Pro: 25 years experience for large companies - Technical manager and solution architect: Directory services and Identity Management, Azure AD, Office 365, Azure infrastructures, Microsoft AD Security (ADDS,ADFS,ADCS), PowerShell, Quest solutions architect. Operating systems (Win/Lin). Unix and Microsoft interoperability. Data center Operations. Company integrations. Network architectures. Virtualization and storage infrastructures. HP/Dell servers deployments. Certifications: MCSE, MCPs, MCITS, ITIL, VCP, CCNA, CyberArk

%d bloggers like this: