Internet Explorer logon fails due to an insufficient buffer for Kerberos

Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows registry


During the process of connecting to an Internet Information Server (IIS) server configured for Windows 2000 authentication, the user is presented with the Enter Network Password dialogue box. The user attempts to log on. The credentials are requested and supplied, and then the following error page is displayed, even though the credentials are valid:
You are not authorized to view this page. You do not have permission to view this directory or page using the credentials you supplied.


The credentials are valid and can be utilized to access the same system through the Windows NT Server service through the net use command. However, Wininet may fail to allocate a sufficient buffer for containing the user's Kerberos token. This may occur if the user is a member of more than 100 groups, for example.


This problem involves an Internet Explorer wininet buffering problem. To resolve this problem, apply either the following hotfix, Windows 2000 Service Pack 2 (SP2) or an Internet Explorer update, and then set the MaxTokenSize registry parameter (described in the "More Information" section of this article) on all client computers.

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
The English version of this fix should have the following file attributes or later:

Date Time Version Size File name
10/13/2000 04:35p 5.0.3210.1300 459,536 Wininet.dll


Reduce the number of groups that the user is a member of.


Microsoft has confirmed that this is a problem in Microsoft Windows 2000.

More Information

For more information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the following article number to view the article in the Microsoft Knowledge Base:

249149 Installing Microsoft Windows 2000 and Windows 2000 hotfixes

Note The hotfix described in the "Resolution" section of this article supersedes the hotfix originally provided in the following Microsoft Knowledge Base article:
269643 Internet Explorer Kerberos authentication does not work because of an insufficient buffer connecting to IIS

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
This hotfix provides a registry parameter that you can use to increase the Kerberos token size. For example, increasing the token to 65 KB will allow a user to be present in more than 900 groups. Due to the associated security identifier (SID) information, this number may vary.

Perform the following in order to set this parameter:
  1. Start Registry Editor (Regedt32.exe).
  2. Locate and click the following registry setting:
  3. On the Edit menu, click Add Value, and then add the following registry value:
    Value name: MaxTokenSize
    Data type: REG_DWORD
    Radix: Decimal
    Value data: 65535
  4. Quit Registry Editor.
The default value for MaxTokenSize is 12000 decimal. Microsoft recommends that you set this value to 65535 decimal, FFFF hexadecimal. If you set this value incorrectly to 65535 hexadecimal (an extremely large value) Kerberos authentication operations may fail, and programs will return errors.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:

297869 SMS Administrator issues after you modify the Kerberos MaxTokenSize registry value

After you set the value and the computer is updated, restart the computer. Although you must update the domain controllers individually, you can use Group Policy settings to set this value for client computers that have also been updated. You must configure all client systems and servers in the domain with this registry modification and update the systems with Windows 2000 SP2 or the hotfixes.

For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

313661 FIX: Error message: "Timeout Expired" occurs when you connect to SQL Server over TCP/IP and the Kerberos MaxTokenSize is greater than 0xFFFF

300367 DCOM Client may put memory on the wire

For more information on Kerberos token size configuration and support in Windows 2000, click the following article number to view the article in the Microsoft Knowledge Base:

263693 Group Policy may not be applied to users belonging to many groups

Steps to Reproduce Behavior

  1. Create a Windows NT account.
  2. Make sure that Active Directory is installed and Integrated Authentication is configured.
  3. Add the account to approximately 100 different groups.
  4. Create a second account and add it to three of the groups.
The first account cannot browse via http://<servername>, but the second account can.
Note The following script using Creategroup.vbs from the reskit was used to reproduce the problem:

CreateGroup.vbs from the resource kit is a viable method for doing so.
creategroup LDAP: DC=Domain,DC=Org,DC=Company,DC=com GroupName1
CN=administrator,CN=Users,DC=Domain,DC=Org,dc=Company,dc=com password

Номер статьи: 277741 — последний просмотр: 9 июля 2008 г. — редакция: 1

Отзывы и предложения