Recently by migrating form Netware to Windows file servers we have ended up creating a boat load of AD groups. We have now run in to some problems with authenticating and gaining access to resources.
After some initial troubleshooting we have landed on the fact that Domain Admins is a member of too many groups (397 at the most recent count) and the Kerberos Ticket size has gone over 12000 bytes (is 13783) (Event ID 6). I found the following article which seem to describe exactly what has happened and some suggestions as to how to fix it:
The aim is to bump the MaxTokenSize limit to 65535 in the registry. However I can find no discussion about what the impact of this will be? Long term the aim is to rationalize the creep in the number of groups but short term this seems like a fix. Has anyone had any experience with this in the past and are there any caveats we should be aware of before rolling this change out?
We are currently running Server 2008 Domain and Forest Function level with all DCs being 64 bit VMs.
UPDATE: So after a bit more reading on this I can see that the in Server 2012 the default is set to 48000 for the MaxTokenSize. This looks like a sensible option for us to adopt. One thing I cant seem to find info on still is the likely impact of users having larger tokens. There is some suggestion that this will increase the memory usage on IIS servers but does anyone know if this will be the case on DCs and member servers (i.e. 32bit Citrix servers etc)?
Best Answer
Many organizations set this to 65535 long ago. There are plenty of Microsoft kb articles that recommend this. Previously the recommendation was 100,000 until Microsoft realized that value did not work, and they corrected this to 65535.
If you use integrated Windows authentication with IIS web sites (such as SharePoint), large tokens can result in failed authentication. This is easily resolved by increasing the value for MaxRequestBytes for the http.sys service. This is due to the Kerberos token with groups is included in each http request. There is also an IIS setting that can improve the performance of integrated authentication so that only the first request has to be authenticated.
I would advise reviewing your groups and convert some to distribution groups unless they are absolutely required to be a security group. Even with a max token size of 65535, it's possible for an account to be a member of so many groups that it cannot logon.