Table of Contents
Fix: After ADMT Migration Users Cannot Logon - Profile Errors - Kerberos - MaxTokenSize
After migrating AD User Accounts between Active Directory Domains, and enabling the SID history, some users were not able to logon anymore. This is because the Kerberos token size is too big so users cannot access their profile anymore, cannot access their network mappings and policies are not applied anymore.
I will discuss the quick fix here, and give some detailed background information and additional fixes.
The Quick Fix
ou can change the maximum size of the Kerberos token in the registry:
- Go to System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
- If this key is not present, create the key. To do so:
- System\CurrentControlSet\Control\Lsa\Kerberos
- On the Edit menu, click Add Key.
- Create a Parameters key.
- Click the new Parameters key.
- On the Edit menu, click Add Value, and then add the following registry value:
- Value name: MaxTokenSize
- Data type: REG_DWORD
- Radix: Decimal
- Value data: 48000
To set this setting using a group policy see this Microsoft kb article.
Kerberos Token
When an AD user logs on a Kerberos token is created. Inside this token the following information (among other things) is stored:
- The user's primary SID.
- Global and Universal group SIDs from the user's account, domain or forest.
- Domain local SIDs from the domain of the workstation (if they are different from the domain of the user).
- Privileges that are explicitly assigned to the user or derived from group membership
So, the more groups you're in (directly or using a SID history) the larger the token size. As explained before this can result in errors wherever you may need to log in:
Important: To resolve this problem, you must set the MaxTokenSize registry value for all the computers that are involved in the Kerberos authentication process. This includes the SQL Server clients. That is, the registry key has to be set on each computer that is involved in the request/response flow. Therefore, if there is a SQL Server client on which a web application relies, or if the user's token has to be passed to a backend SQL Server database, the registry key has to be set on the SQL Server client computer, the SQL Server database computer, and also the client computer that is running Internet Explorer, the web server running that is running IIS, and so on.
IIS
IIS might need some additional setting. Set the max token size (reboot) and see if login is still possible.
If you use integrated Windows authentication with IIS web sites (such as SharePoint), large tokens can result in failed authentication. This is easily resolved by increasing the value for MaxRequestBytes for the http.sys service. This is due to the Kerberos token with groups is included in each http request.
If MaxFieldLength is configured to its maximum value of 64KB, then the MaxTokenSize registry value should be set to 3/4 * 64 = 48KB. For more information on the MaxTokenSize setting, please see the Microsoft knowledge base article KB327825 listed below.
According to this kb article which discusses two reg keys MaxFieldLength and MaxRequestBytes, we increased the values of MaxFieldLength and MaxRequestBytes on the IIS server from the default of 16384 to 32768 (may vary according to ticket size):
Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters
So if you set the max token size to:
- HKLM\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters\
- MaxTokenSize
- Data type: REG_DWORD
- Radix: Decimal
- Value data: 48000
You should set the max field length and max request bytes for IIS to:
- HKLM\System\CurrentControlSet\Services\HTTP\Parameters
- MaxFieldLength
- Value data: 65534
- MaxRequestBytes
- Value Data: 65534
Note that the keys have to be added as DWORD's
The description of these keys are:
MaxFieldLength - Sets an upper limit for each header. This limit translates to approximately 32k characters for a URL. Default Value - 16384, Range 64 - 65534 (64k - 2) bytes
MaxRequestBytes -Determines the upper limit for the total size of the Request line and the headers. Its default setting is 16KB. If this value is lower than MaxFieldLength, the MaxFieldLength value is adjusted. Default Value - 16384, Range 256 - 16777216 (16MB) bytes
Tomcat
Tomcat(4.* starting with 4.1.31, 5.* and 6.*) also imposes a limit on the size of the entire header of each HTTP request. The default limit is either 4K or 8K (depending on the particular version of Tomcat). If the header of an HTTP request exceeds the limit, Tomcat pretty abruptly closes the TCP connection (it doesn't send an HTTP error response or anything like that).
The fix is to increase the 'maxHttpHeaderSize' value from 16384 to 32768 in the server.xml file. The server.xml file is the main configuration file for Tomcat.
Go to the server.xml file and open it in a compatible text editor:
- C:\Program Files (x86)\Business Objects\Tomcat55\conf\server.xml
- Find the maxHttpHeaderSize section
- Set the correct value
- Value: 65534