Internet Explorer Kerberos authentication does not work because of an insufficient buffer connecting to IIS

Article translations Article translations
Article ID: 269643
Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows Registry
Expand all | Collapse all

On This Page

Symptoms

When you try to connect to a Microsoft Internet Information Server (IIS) computer that is configured to use Microsoft Windows 2000 authentication, you receive an Enter Network Password dialog box. When you try to log on, you may be prompted to provide your network credentials again, and after you do so, you may receive the following error message:
You are not authorized to view this page

You do not have permission to view this directory or page using the credentials you supplied.

Cause

This problem can occur even though the credentials you provide are valid and can be utilized to obtain access to the same computer through the Microsoft Windows NT Server service by using the net use command. However, the Wininet.dll file may not allocate a sufficient buffer for containing the user's Kerberos token. For example, this can occur if the user is a member of more than 100 groups.

Resolution

To resolve this problem, use the appropriate method for your version of Internet Explorer.

Internet Explorer 5.5

To resolve this problem with Internet Explorer 5.5, obtain and install Internet Explorer 5.5 Service Pack 2 or later.

For additional information about how to obtain the latest service pack for Internet Explorer 5.5, click the following article number to view the article in the Microsoft Knowledge Base:
276369 How to obtain the latest service pack for Internet Explorer 5.5

Internet Explorer 5.01

To resolve this problem with Internet Explorer 5.01, obtain and install either Internet Explorer 5.01 Service Pack 2 or later or Microsoft Windows 2000 Service Pack 2 or later.

For additional information about how to obtain the latest service pack for Windows 2000 or Internet Explorer 5.01, click the following article numbers to view the articles in the Microsoft Knowledge Base:
260910 How to obtain the latest Windows 2000 service pack
267954 How to obtain the latest Internet Explorer 5.01 service pack
For additional information about how to resolve this problem with Internet Explorer 5.01 Service Pack 1, click the following article number to view the article in the Microsoft Knowledge Base:
277741 Internet Explorer logon fails due to an insufficient buffer for Kerberos

Workaround

To work around this problem, reduce the number of groups that the user is a member of.

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Internet Explorer version 5.01 Service Pack 2.

More information

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
This hotfix allows a larger number of groups to be supported. To increase the maximum token size after you install the hotfix, use the following steps:
  1. Start Registry Editor (Regedt32.exe).
  2. Locate and then click the following key in the registry:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos
  3. On the Edit menu, click Add Key, and then add the following registry key:
    Key name: Parameters
  4. On the Edit menu, click Add Value, and then add the following registry value:
    Value name: MaxTokenSize Type: REG_DWORD
    Radix: Decimal
    Value: 65535
  5. Quit Registry Editor.
Note A token size of 65,535 supports approximately 900 groups that a user may be a member of. The SID information that is associated with each group may vary in size, and this can result in some variation in this value. For additional information about Kerberos Token Size configuration and support in Windows 2000, click the following article numbers to view the articles in the Microsoft Knowledge Base:
263693 Group Policy may not be applied to users belonging to many groups
297869 SMS administrator issues after you modify the Kerberos MaxTokenSize registry value
Note This problem involves an Internet Explorer Wininet buffering issue. In order to resolve this issue, the hotfix, Windows 2000 Service Pack 2 or Internet Explorer update must be applied and the registry parameter must be set on all client systems.

Properties

Article ID: 269643 - Last Review: June 19, 2014 - Revision: 5.0
Keywords: 
kbhotfixserver kbqfe kbbug kbenv kberrmsg kbfix kbie501presp2fix KB269643
Retired KB Content Disclaimer
This article was written about products for which Microsoft no longer offers support. Therefore, this article is offered "as is" and will no longer be updated.

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com