For example, if a user is a member of a group either directly or by membership in another group, the security ID (SID) for that group is added to the user's token. For a SID to be added to the user's token, the SID information must be communicated by using the Kerberos token. If the required SID information exceeds the size of the token, authentication is unsuccessful.
To resolve this problem, increase the Kerberos token size. To do this, follow these steps on the client computer that logs the Kerberos event.
- Click Start, click Run, type regedit, and then click OK.
- Locate and then click the following registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\ParametersNote If the Parameters key is not present, create the key. To do this, follow these steps:
- Locate and then click the following registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos
- On the Edit menu, point to New, and then click Key.
- Type Parameters, and then press ENTER.
- Locate and then click the following registry subkey:
- On the Edit menu, point to New, and then click DWORD Value.
- Type MaxTokenSize, and then press ENTER.
- On the Edit menu, click Modify.
- In the Base area, click Decimal, type 65535 in the Value data box, and then click OK.
Note The default value for the MaxTokenSize registry entry is a decimal value of 12,000. We recommend that you set this registry entry value to a decimal value of 65,535. If you incorrectly set this registry entry value to a hexadecimal value of 65,535, Kerberos authentication operations may fail. Additionally, programs may return errors.For more information, click the following article number to view the article in the Microsoft Knowledge Base:297869 SMS administrator issues after you modify the Kerberos MaxTokenSize registry value
- Exit Registry Editor.
- Restart the computer.
Article ID: 935744 - Last Review: Mar 15, 2008 - Revision: 1