Kerberos authentication may not work if user is a member of many groups (280830)
The information in this article applies to:
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Professional
This article was previously published under Q280830 Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base: 256986 Description of the Microsoft Windows Registry SYMPTOMS
If a user is a member of many groups either directly or because of group nesting, Kerberos authentication may not work. The Group Policy object (GPO) may not be applied to the user and the user may not be validated to use network resources.
If the Administrator is a member of more than 70 to 80 groups there may be 2 additional symptoms:
- When logging into a DC, an event id 1000 will be generated in the system log.
- Running DC promo to bring up a new DC will result in "Access Denied" when entering the domain admin credentials.
If the user has an associated logon script, the script may fail with one of the following error messages:
Not enough storage is available to complete this operation.
Hexadecimal values: 800a0007, 8007000e
Decimal values: -2146828281, -2147024882
CAUSE
The Kerberos token has a fixed size. If a user is a member of a group either directly or by membership in another group, the security ID (SID) for that group is added to the user's token. For a SID to be added to the user's token, it must be communicated by using the Kerberos token. If the required SID information exceeds the size of the token, authentication does not succeed. The number of groups varies, but the limit is approximately 70 to 80 groups.
For many operations, Windows NTLM authentication succeeds; the Kerberos authentication problem may not be evident without analysis. However, operations that include GPO application do not work at all.
RESOLUTIONA supported hotfix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Only apply it to systems that are experiencing this specific problem. This hotfix may receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next Windows 2000 service pack that contains this hotfix. To resolve this problem immediately, contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site: Note In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.
The English version of this fix should have the following file attributes or later:
Date Time Version Size File name
--------------------------------------------------------
10/20/2000 09:52a 5.0.2195.2530 206,896 Kerberos.dll
10/19/2000 03:04p 5.0.2195.2531 69,456 Ksecdd.sys
Note that you must use a registry parameter that is available with this hotfix to increase the Kerberos token size. See the "More Information" section of this article for additional information.
This fix should be implemented on every computer in the enterprise. The value for MaxTokenSize should be identical on each computer. A client utilizes this parameter for Internet Explorer Wininet operations requiring Kerberos authentication to an IIS system. Also, the value is utilized to set the size of a Kerberos token utilized by clients, servers and domain controllers.
STATUSMicrosoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Modification Type: | Minor | Last Reviewed: | 10/7/2005 |
---|
Keywords: | kbHotfixServer kbQFE kbbug kbfix kbQFE kbWin2000PreSP2Fix KB280830 |
---|
|