Applies To
Windows Server 2012 Windows Server 2012 R2 Windows 10 Windows 10 Education, version 1607 Windows 10 Professional version 1607 Windows 10 Enterprise, version 1607 Windows 10 Enterprise version 1607 Windows 10 Enterprise, version 1809 Windows 10 Professional Education version 1607 Windows 10 Pro Education, version 1607 Windows Server 2016 Windows Server 2019 Windows Server 2022 Windows 10 Home and Pro, version 21H2 Windows 10 Enterprise and Education, version 21H2 Windows 10 IoT Enterprise, version 21H2 Windows 10 Home and Pro, version 22H2 Windows 10 Enterprise Multi-Session, version 22H2 Windows 10 Enterprise and Education, version 22H2 Windows 10 IoT Enterprise, version 22H2 Windows 11 Home and Pro, version 21H2 Windows 11 Enterprise Multi-Session, version 21H2 Windows 11 Enterprise and Education, version 21H2 Windows 11 IoT Enterprise, version 21H2 Windows 11 Home and Pro, version 22H2 Windows 11 Enterprise Multi-Session, version 22H2 Windows 11 Enterprise and Education, version 22H2 Windows 11 IoT Enterprise, version 22H2 Azure Local, version 22H2 Windows 11 Home and Pro, version 23H2 Windows 11 Enterprise and Education, version 23H2 Windows 11 Enterprise Multi-Session, version 23H2 Windows 11 IoT Enterprise, version 23H2 Windows 11 SE, version 24H2 Windows 11 Enterprise and Education, version 24H2 Windows 11 Enterprise Multi-Session, version 24H2 Windows 11 Home and Pro, version 24H2 Windows 11 IoT Enterprise, version 24H2 Windows Server 2025

Original publish date: February 20, 2025

KB ID: 5054215

Change date

Change description

March 4, 2025

  • Clarified the wording in the "Guidance to work around the string-length limitations" section.

Introduction

The host-to-realm policy in Kerberos is used to map a host (such as a client computer or server) to a specific Kerberos realm. For more information, please see Policy CSP - ADMX_Kerberos.

This article describes string-length limitations in the host-to-realm policy for Kerberos, scenarios where the limitations apply, and provides guidance on how to overcome the limitations.

What are the string-length limitations?

  • User Interface (UI) character limit for Host Names: The Group Policy Editor Control used to enter the data does not load more than 1,024 characters into the realm host file list entry. However, you can type up to 32,767 characters and successfully write these to registry.pol.

  • Character limit for Host Names: The Kerberos client reading this setting on the device where the policy applies has a hard limit of 2,048 characters for the host name list.

In what scenarios do the limitations apply?

The string-length limitations apply in the following scenarios:

  • You have an Active Directory Domain and a third-party realm such as FreeBSD or Linux with an MIT trust.

  • You support multiple SPN suffixes or a list of hosts mapped manually to the realm that trusts the AD forest.

When setting the host-to-realm mapping policy in the Domain Group Policy, the following fields can be defined: ​​​​​​​

  • Policy name: Define host name-to-Kerberos realm mappings,

  • Registry subkey: domain_realm.

Retrieving a ticket for one of these hosts may be unsuccessful since beyond a certain length of the host strings, the Group Policy Editor does not show the list of hosts. Instead, the "value name" and "value" fields are empty.

Guidance to work around the string-length limitations

  • The UI limit: To avoid the problem entering long strings in ADMX Group Policy Editor, you can create a separate text file containing the host name list. When updating the list of hosts, you will need to modify this text file accordingly. Afterward, you can open the policy and paste the updated string into the edit control for the relevant realm mapping. ​​​​​​​You can also use the Set-GPRegistryValue PowerShell cmdlet from a script file. It also allows passing a long string on as parameter to add it to the Group Policy.

  • The Registry Entry host name length limit: As of February 2025, the character limit of 2,048 characters for host names cannot be avoided when you use the ADMX Group Policy or InTune CSP setting.

    There is a workaround that does not require Group Policy. You can use the ksetup /addhosttorealmmap command, as documented in the ksetup addhosttorealmmap guide. This approach is limited only by the general registry hive size for the SYSTEM hive and heap limits.

    You can also use the Registry Group Policy Preferences to distribute the host mappings by using the data stored by the ksetup /addhosttorealmmap command in the following registry subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\HostToRealm

    To create this setting in the registry Group Policy Preferences, please use the PowerShell cmdlet Set-GPPrefRegistryValue.

References

​​​​​​​​​​​​​​Third-party information disclaimer

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. We make no warranty, implied or otherwise, about the performance or reliability of these products.

We provide third-party contact information to help you find technical support. This contact information may change without notice. We do not guarantee the accuracy of this third-party contact information.

Facebook LinkedIn Email
SUBSCRIBE RSS FEEDS

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center