Technical reference about Kerberos: http://technet.microsoft.com/en-us/library/cc739058(WS.10).aspx
White paper about Kerberos troubleshooting: http://www.microsoft.com/en-us/download/details.aspx?id=21820
Microsoft has published a tool called Tokensz: http://www.microsoft.com/download/en/details.aspx?id=1448
Microsoft has a detailed document about the token-bloat problem, Addressing Problems Due To Access Token Limitation: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=13749)
To step you through remediation on this MS whitepaper, we can read:
Several factors can affect the outcome of the token evaluation process, including the following: · Whether the token is issued for logon purposes or for resource access. · The groups that the principal is a member of, including direct and transitive memberships. · The types of groups involved. There are two types of groups in Active Directory: distribution groups and security groups. Distribution groups are not included in the principal’s token, but all security groups are included. All group scopes (universal, global, domain local, machine local, and built-in) are included in the token evaluation. · The functional level (for Windows Server 2003) or the domain mode (for Windows 2000 Server). The token evaluation process evaluates groups recursively. For example, if User A is a member of Group 1 and Group 1 is a member of Group 2, then a token generated for User A contains SIDs representing both Group 1 and Group 2. In native mode and higher domains, universal, global, and domain local groups are all evaluated recursively. Universal security groups do not exist in mixed mode domains.
MaxTokenSize and Token Bloat: http://blogs.technet.com/b/shanecothran/archive/2010/07/16/maxtokensize-and-kerberos-token-bloat.asp
Updated Guidance and Recommendations
In the past we had guidance that stated you could increase the MaxTokenSize registry entry to 65535. But because of HTTP’s base64 encoding of authentication context tokens limits starting with Windows Server 2012, the default value of the MaxTokenSize registry entry is 48000 bytes. This is why we are recommending that you set the MaxTokenSize no larger than 48000 bytes on any OS version.
How to reduce Kerberos token bloat
First read this very interesting article: https://dirteam.com/sander/2013/05/22/common-challenges-when-managing-active-directory-domain-services-part-2-unnecessary-complexity-and-token-bloat/
- To reduce the Kerberos Ticket Size you can:
- Reduce/consolidate group membership
- Clean up SID History
- Limit the number of users that are configured to use “trusted for delegation”. The account that are configured to use “trusted for delegation” the buffer requirements for each SID may double.
To find and to remove SIDHistory:
SIDHistory powershell module: https://gallery.technet.microsoft.com/PowerShell-Module-for-08769c67
Token Bloat known issues
How to use Group Policy to add the MaxTokenSize registry entry to multiple computers
New resolution for problems with Kerberos authentication when users belong to many groups
“HTTP 400 – Bad Request (Request Header too long)” error in Internet Information Services (IIS)
Users who are members of more than 1,015 groups may fail logon authentication
Group Policy may not be applied to users belonging to many groups
Recommended settings for IIS and Apache
For HTTP (IIS):
Reference article: http://support.microsoft.com/kb/2020943
|MaxFieldLength||16384||64 – 65534 (64k – 2) bytes||Sets an upper limit for each header. See MaxRequestBytes. This limit translates to approximately 32k characters for a URL.|
|MaxRequestBytes||16384||256 – 16777216 (16MB) bytes||Determines the upper limit for the total size of the Request line and the headers.
Its default setting is 16KB. If this value is lower than MaxFieldLength, the MaxFieldLength value is adjusted.
NOTE: If MaxFieldLength is configured to its maximum value of 64KB, then the MaxTokenSize registry value should be set to 3/4 * 64 = 48KB. For more information on the MaxTokenSize setting, please see the Microsoft knowledge base article KB327825 listed below.
Values recommended: 32768 for MaxFieldLength and MaxRequestBytes values
Note: those settings has been implemented on ADFS IIS servers typically etc.
- For Apache Http:
#Limit Request to 32Kb because we encounter problem after migraiton GAD related to header limit size (IE only)
<LocationMatch “(/upm/oauth_clients|/upm/oauth/authorize)” >
LoadModule auth_kerb_module /tools/httpd/current/modules/mod_auth_kerb.so
Note: those settings has been implemented on Apache servers etc.
System Event log Event ID 31 on domain controller
The Kerberos enhancements included in Windows 8 and Windows Server 2012 that specifically target large service ticket and MaxTokenSize scenarios. To summarize:
- Increased default MaxTokenSize from 12k to 48k
- New Group Policy setting to centrally manage MaxTokenSize
- New Group Policy setting to write warnings to the system event log when a service ticket exceeds a designated threshold
- New Resource SID compression to reduce the storage size of SIDs from the resource domain
- Using a powershell script to collect all Event ID 31 on all the domain controllers:
Modify the dclist.csv
Then from a powershell in admin mode: .\Dump-DC-KerberosEventID31.ps1
- Using a powershell script to make a assessment on a specific user samaccountname:
.\CheckMaxTokenSize -Principals <enter a samaccountname> -Details $true
i.e .\CheckMaxTokenSize -Principals jdalbera -Details $true
Event Viewer – Xpath query to search all event ID 31 last day:
<Query Id=”0″ Path=”System”>
<Select Path=”System”>*[System[(Level=3) and (EventID=31) and TimeCreated[timediff(@SystemTime) <= 86400000]]]</Select>