Kerberos MaxTokenSize

G

Guest

We have three domain controllers that are Windows 2000 Server SP4. Some users are having a problem authenticating. When I remove them from a few groups they can then authenticate. The user may not be a member of that many groups (50 at most), some less. I have read the KB articles that pertain to this issue (327825, 263693, 269643, 280830) and it seems to be the Kerberos MaxTokenSize, but the articles say that it is resolved with SP4 which we have installed on all domain controllers.
Any help with this issue would be greatly appreciated.
Thanks.
 
P

ptwilliams

Can you be a little more specific as to what type of errors your users are
seeing? Event IDs and Source would be great...


--

Paul Williams
_________________________________________
http://www.msresource.net - Under construction, but coming soon...


Join us in our new forums!
http://forums.msresource.net
_________________________________________


its-uwf said:
We have three domain controllers that are Windows 2000 Server SP4. Some
users are having a problem authenticating. When I remove them from a few
groups they can then authenticate. The user may not be a member of that
many groups (50 at most), some less. I have read the KB articles that
pertain to this issue (327825, 263693, 269643, 280830) and it seems to be
the Kerberos MaxTokenSize, but the articles say that it is resolved with SP4
which we have installed on all domain controllers.
 
T

Trust No One®

its-uwf said:
We have three domain controllers that are Windows 2000 Server SP4. Some
users are having a problem authenticating. When I remove them from a few
groups they can then authenticate. The user may not be a member of that
many groups (50 at most), some less. I have read the KB articles that
pertain to this issue (327825, 263693, 269643, 280830) and it seems to be
the Kerberos MaxTokenSize, but the articles say that it is resolved with SP4
which we have installed on all domain controllers.
Any help with this issue would be greatly appreciated.
Thanks.

Are the domain controllers local to the workstations or is a WAN link
involved?

I've had this problem at some remote locations, particularly when VPN use is
involved.

The solution in our case was to force Kerberos to use tcp instead of udp.
This is documented in KB244474. Needed to implement this on all the
workstations at the remote site.

http://support.microsoft.com/default.aspx?scid=kb;en-us;244474

Some software (notably Cisco VPN client 3.6 and later) make this change
automatically as part of their installation.

hth
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top