Article ID: 269643
Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/256986/ )Description of the Microsoft Windows Registry
When you try to connect to a Microsoft Internet Information Server (IIS) computer that is configured to use Microsoft Windows 2000 authentication, you receive an Enter Network Password dialog box. When you try to log on, you may be prompted to provide your network credentials again, and after you do so, you may receive the following error message:
You are not authorized to view this page
You do not have permission to view this directory or page using the credentials you supplied.
This problem can occur even though the credentials you provide are valid and can be utilized to obtain access to the same computer through the Microsoft Windows NT Server service by using the net use command. However, the Wininet.dll file may not allocate a sufficient buffer for containing the user's Kerberos token. For example, this can occur if the user is a member of more than 100 groups.
To resolve this problem, use the appropriate method for your version of Internet Explorer.
Internet Explorer 5.5To resolve this problem with Internet Explorer 5.5, obtain and install Internet Explorer 5.5 Service Pack 2 or later.
For additional information about how to obtain the latest service pack for Internet Explorer 5.5, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/276369/ )How to obtain the latest service pack for Internet Explorer 5.5
Internet Explorer 5.01To resolve this problem with Internet Explorer 5.01, obtain and install either Internet Explorer 5.01 Service Pack 2 or later or Microsoft Windows 2000 Service Pack 2 or later.
For additional information about how to obtain the latest service pack for Windows 2000 or Internet Explorer 5.01, click the following article numbers to view the articles in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/260910/ )How to obtain the latest Windows 2000 service pack
267954For additional information about how to resolve this problem with Internet Explorer 5.01 Service Pack 1, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/267954/ )How to obtain the latest Internet Explorer 5.01 service pack
(http://support.microsoft.com/kb/277741/ )Internet Explorer logon fails due to an insufficient buffer for Kerberos
To work around this problem, reduce the number of groups that the user is a member of.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Internet Explorer version 5.01 Service Pack 2.
Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
This hotfix allows a larger number of groups to be supported. To increase the maximum token size after you install the hotfix, use the following steps:
(http://support.microsoft.com/kb/263693/ )Group Policy may not be applied to users belonging to many groups
297869Note This problem involves an Internet Explorer Wininet buffering issue. In order to resolve this issue, the hotfix, Windows 2000 Service Pack 2 or Internet Explorer update must be applied and the registry parameter must be set on all client systems.
(http://support.microsoft.com/kb/297869/ )SMS administrator issues after you modify the Kerberos MaxTokenSize registry value
Article ID: 269643 - Last Review: June 19, 2014 - Revision: 5.0