Kerberos MaxTokenSize

Discussion in 'Microsoft Windows 2000 Active Directory' started by Guest, Jun 17, 2004.

  1. Guest

    Guest Guest

    We have three domain controllers that are Windows 2000 Server SP4. Some users are having a problem authenticating. When I remove them from a few groups they can then authenticate. The user may not be a member of that many groups (50 at most), some less. I have read the KB articles that pertain to this issue (327825, 263693, 269643, 280830) and it seems to be the Kerberos MaxTokenSize, but the articles say that it is resolved with SP4 which we have installed on all domain controllers.
    Any help with this issue would be greatly appreciated.
    Thanks.
     
    Guest, Jun 17, 2004
    #1
    1. Advertisements

  2. Guest

    ptwilliams Guest

    Can you be a little more specific as to what type of errors your users are
    seeing? Event IDs and Source would be great...


    --

    Paul Williams
    _________________________________________
    http://www.msresource.net - Under construction, but coming soon...


    Join us in our new forums!
    http://forums.msresource.net
    _________________________________________


    "its-uwf" <> wrote in message
    news:...
    > We have three domain controllers that are Windows 2000 Server SP4. Some

    users are having a problem authenticating. When I remove them from a few
    groups they can then authenticate. The user may not be a member of that
    many groups (50 at most), some less. I have read the KB articles that
    pertain to this issue (327825, 263693, 269643, 280830) and it seems to be
    the Kerberos MaxTokenSize, but the articles say that it is resolved with SP4
    which we have installed on all domain controllers.
    > Any help with this issue would be greatly appreciated.
    > Thanks.
     
    ptwilliams, Jun 17, 2004
    #2
    1. Advertisements

  3. "its-uwf" <> wrote in message
    news:...
    > We have three domain controllers that are Windows 2000 Server SP4. Some

    users are having a problem authenticating. When I remove them from a few
    groups they can then authenticate. The user may not be a member of that
    many groups (50 at most), some less. I have read the KB articles that
    pertain to this issue (327825, 263693, 269643, 280830) and it seems to be
    the Kerberos MaxTokenSize, but the articles say that it is resolved with SP4
    which we have installed on all domain controllers.
    > Any help with this issue would be greatly appreciated.
    > Thanks.


    Are the domain controllers local to the workstations or is a WAN link
    involved?

    I've had this problem at some remote locations, particularly when VPN use is
    involved.

    The solution in our case was to force Kerberos to use tcp instead of udp.
    This is documented in KB244474. Needed to implement this on all the
    workstations at the remote site.

    http://support.microsoft.com/default.aspx?scid=kb;en-us;244474

    Some software (notably Cisco VPN client 3.6 and later) make this change
    automatically as part of their installation.

    hth

    --
    Peter <X-Files Fan>
    Please Note: Emailed replies cc'd / bcc'd , containing HTML or attachments
    auto-binned as spam
     
    Trust No One®, Jun 18, 2004
    #3
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Herb Martin

    Re: Active directory and Kerberos

    Herb Martin, Jul 11, 2003, in forum: Microsoft Windows 2000 Active Directory
    Replies:
    0
    Views:
    422
    Herb Martin
    Jul 11, 2003
  2. OregonSteve

    Kerberos Authentication Problem

    OregonSteve, Jul 17, 2003, in forum: Microsoft Windows 2000 Active Directory
    Replies:
    0
    Views:
    299
    OregonSteve
    Jul 17, 2003
  3. Eimis

    realm kerberos configuration

    Eimis, Jul 18, 2003, in forum: Microsoft Windows 2000 Active Directory
    Replies:
    0
    Views:
    201
    Eimis
    Jul 18, 2003
  4. Tim Springston \(MSFT\)

    Re: Replacing AD with OpenLDAP/KERBEROS

    Tim Springston \(MSFT\), Jul 30, 2003, in forum: Microsoft Windows 2000 Active Directory
    Replies:
    1
    Views:
    349
    youpski
    Jul 30, 2003
  5. Scott Townsend

    Kerberos tickets are taking me down.. Help Many servers Fail Kerberos netdiag test...

    Scott Townsend, Apr 19, 2004, in forum: Microsoft Windows 2000 Active Directory
    Replies:
    3
    Views:
    3,640
    Steve
    Apr 22, 2004
Loading...

Share This Page