We have three domain controllers that are Windows 2000 Server SP4. Some users are having a problem authenticating. When I remove them from a few groups they can then authenticate. The user may not be a member of that many groups (50 at most), some less. I have read the KB articles that pertain to this issue (327825, 263693, 269643, 280830) and it seems to be the Kerberos MaxTokenSize, but the articles say that it is resolved with SP4 which we have installed on all domain controllers.
Any help with this issue would be greatly appreciated.
Thanks.

Can you be a little more specific as to what type of errors your users are
seeing? Event IDs and Source would be great...


--

Paul Williams
_________________________________________
http://www.msresource.net - Under construction, but coming soon...


Join us in our new forums!
http://forums.msresource.net
_________________________________________


"its-uwf" <its-(E-Mail Removed)> wrote in message
news:C48F8EED-5AF5-4C3F-B5A0-(E-Mail Removed)...
> We have three domain controllers that are Windows 2000 Server SP4. Some
users are having a problem authenticating. When I remove them from a few
groups they can then authenticate. The user may not be a member of that
many groups (50 at most), some less. I have read the KB articles that
pertain to this issue (327825, 263693, 269643, 280830) and it seems to be
the Kerberos MaxTokenSize, but the articles say that it is resolved with SP4
which we have installed on all domain controllers.
> Any help with this issue would be greatly appreciated.
> Thanks.

"its-uwf" <its-(E-Mail Removed)> wrote in message
news:C48F8EED-5AF5-4C3F-B5A0-(E-Mail Removed)...
> We have three domain controllers that are Windows 2000 Server SP4. Some
users are having a problem authenticating. When I remove them from a few
groups they can then authenticate. The user may not be a member of that
many groups (50 at most), some less. I have read the KB articles that
pertain to this issue (327825, 263693, 269643, 280830) and it seems to be
the Kerberos MaxTokenSize, but the articles say that it is resolved with SP4
which we have installed on all domain controllers.
> Any help with this issue would be greatly appreciated.
> Thanks.

Are the domain controllers local to the workstations or is a WAN link
involved?

I've had this problem at some remote locations, particularly when VPN use is
involved.

The solution in our case was to force Kerberos to use tcp instead of udp.
This is documented in KB244474. Needed to implement this on all the
workstations at the remote site.

http://support.microsoft.com/default...b;en-us;244474

Some software (notably Cisco VPN client 3.6 and later) make this change
automatically as part of their installation.

hth

--
Peter <X-Files Fan>
Please Note: Emailed replies cc'd / bcc'd , containing HTML or attachments
auto-binned as spam