PC Review


Reply
Thread Tools Rating: Thread Rating: 1 votes, 1.00 average.

Kerberos MaxTokenSize

 
 
=?Utf-8?B?aXRzLXV3Zg==?=
Guest
Posts: n/a
 
      17th Jun 2004
We have three domain controllers that are Windows 2000 Server SP4. Some users are having a problem authenticating. When I remove them from a few groups they can then authenticate. The user may not be a member of that many groups (50 at most), some less. I have read the KB articles that pertain to this issue (327825, 263693, 269643, 280830) and it seems to be the Kerberos MaxTokenSize, but the articles say that it is resolved with SP4 which we have installed on all domain controllers.
Any help with this issue would be greatly appreciated.
Thanks.
 
Reply With Quote
 
 
 
 
ptwilliams
Guest
Posts: n/a
 
      17th Jun 2004
Can you be a little more specific as to what type of errors your users are
seeing? Event IDs and Source would be great...


--

Paul Williams
_________________________________________
http://www.msresource.net - Under construction, but coming soon...


Join us in our new forums!
http://forums.msresource.net
_________________________________________


"its-uwf" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> We have three domain controllers that are Windows 2000 Server SP4. Some

users are having a problem authenticating. When I remove them from a few
groups they can then authenticate. The user may not be a member of that
many groups (50 at most), some less. I have read the KB articles that
pertain to this issue (327825, 263693, 269643, 280830) and it seems to be
the Kerberos MaxTokenSize, but the articles say that it is resolved with SP4
which we have installed on all domain controllers.
> Any help with this issue would be greatly appreciated.
> Thanks.



 
Reply With Quote
 
 
 
 
Trust No OneŽ
Guest
Posts: n/a
 
      18th Jun 2004

"its-uwf" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> We have three domain controllers that are Windows 2000 Server SP4. Some

users are having a problem authenticating. When I remove them from a few
groups they can then authenticate. The user may not be a member of that
many groups (50 at most), some less. I have read the KB articles that
pertain to this issue (327825, 263693, 269643, 280830) and it seems to be
the Kerberos MaxTokenSize, but the articles say that it is resolved with SP4
which we have installed on all domain controllers.
> Any help with this issue would be greatly appreciated.
> Thanks.


Are the domain controllers local to the workstations or is a WAN link
involved?

I've had this problem at some remote locations, particularly when VPN use is
involved.

The solution in our case was to force Kerberos to use tcp instead of udp.
This is documented in KB244474. Needed to implement this on all the
workstations at the remote site.

http://support.microsoft.com/default...b;en-us;244474

Some software (notably Cisco VPN client 3.6 and later) make this change
automatically as part of their installation.

hth

--
Peter <X-Files Fan>
Please Note: Emailed replies cc'd / bcc'd , containing HTML or attachments
auto-binned as spam


 
Reply With Quote
 
 
 
Reply

Thread Tools
Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Kerberos =?Utf-8?B?YWNlcGR4NjA3OA==?= Windows XP Help 2 25th Jun 2004 11:10 PM
Kerberos tickets are taking me down.. Help Many servers Fail Kerberos netdiag test... Scott Townsend Microsoft Windows 2000 Active Directory 3 22nd Apr 2004 07:40 PM
Kerberos Error Alberto Windows XP Security 0 10th Nov 2003 08:05 PM
The kerberos subsystem encountered a PAC verification failure. Tom Windows XP Security 0 30th Oct 2003 08:13 PM
Wireless Kerberos Login tcalvin Windows XP Security 0 15th Jul 2003 04:22 PM


Features
 

Advertising
 

Newsgroups
 


All times are GMT +1. The time now is 02:21 PM.