Article ID: 2774190 - View products that this article applies to.
When accessing file shares hosted on NAS (network attached storage) devices after deploying Windows Server 2012 domain controllers, the following symptoms may be observed.
This problem occurs under the following conditions:
There are two ways to resolve a Kerberos Resource SID Compression interoperability issue
Resolution 1: (preferred)
The preferred resolution to resource SID compression interoperability is to turn on the disable Resource Group Compression bit (0x80000) in msDS-SupportedEncryptionTypes attribute of the object in Active Directory that is the principal representing the security context of the NAS/Linux service. To produce the correct value, you need to
Alternatively, you can use the following Windows PowerShell script to disable resource SID compression on the given security principal
$newValue = 0
# Get the AD principal and value
$newValue = $value = $obj."msDS-SupportedEncryptionTypes"
if( ($value -band 0x0080000) -eq 0)
if( ($value -band 0x00080000) -eq 0) #enable the disable bit
if($newValue -ne $value) #update if values are different
if( ($newvalue -band 0x0080000) -eq 0)
This resolution should be used only when resolution one cannot be used.
This resolution disables resource SID compression on an individual Windows Server 2012 domain controller (KDC). You must apply this setting to each Windows Server 2012 domain controller to ensure the domain controllers do not issue tickets that use resource group SID compression.
Resource SID compression is on by default; however, you can disable it. You disable resource SID compression on a Windows Server 2012 KDC using the DisableResourceGroupsFields registry value under the HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kdc\Parameters registry key. This registry value has a DWORD registry value type. You completely disable resource SID compression when you set the registry value to 1. The KDC reads this configuration when building a service ticket. With the bit enabled, the KDC does not use resource SID compression when building the service ticket.
KDC Resource SID Compression
Kerberos authentication inserts security identifiers (SIDs) of the security principal, SID history, all the groups to which the user is a member including universal groups and groups from the resource domain. Security principals with too many group memberships greatly affect the size of the authentication data. Sometimes the authentication data is larger than the allocated size reported by Kerberos to applications. This can causes authentication failure in some applications. SIDs from the resource domain share the same domain portion of the SID, these SIDs can be compressed by only providing the resource domain SID once for all SIDs in the resource domain.
Windows Server 2012 KDCs help reduce the size of the PAC by taking advantage of resource SID compression. By default, a Windows Server 2012 KDC will always compress resource SIDs. To compress resource SIDs, the KDC stores SID of the resource domain to which the target resource is a member. Then, it inserts only the RID portion of each resource SID into the ResourceGroupIds portion of the authentication data.
Resource SID Compression reduces the size of each stored instance of a resource SID because the domain SID is stored once rather than with each instance. Without resource SID Compression, the KDC inserts all the SIDs added by the resource domain in the Extra-SID portion of the PAC structure, which is a list of SIDs. [MS-KILE]
Other Kerberos implementations may not understand resource group compression and therefore are not compatible. In these scenarios, you may need to disable resource group compression to allow the Windows Server 2012 KDC to interoperate with the third-party Kerberos implementation.
(http://go.microsoft.com/fwlink/?LinkId=151500)for other considerations.
Article ID: 2774190 - Last Review: May 22, 2015 - Revision: 4.0