New resolution for problems that occur when users belong to many groups (327825)
The information in this article applies to:
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP3
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP3
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP3
This article was previously published under Q327825 SYMPTOMS When a user belongs to many groups, that user may have
problems with authentication or with Group Policy settings. The following
Microsoft Knowledge Base articles describe these symptoms in more detail:
269643 Internet Explorer Kerberos authentication does not work because of an insufficient buffer connecting to IIS
280380 FIX: Buffer overflow exploit possible with extended stored procedures
The existing resolution
that is described in these articles instructs you to modify the MaxTokenSize registry value. An improvement has been made to this resolution.
If you use the hotfix that is described in this article, you may not have to
edit the default MaxTokenSize value. The hotfix that is described in this article
supersedes the hotfixes that are described in Microsoft Knowledge Base articles
that are listed in this section. CAUSE The user is not able to authenticate because the Kerberos
token that is generated during authentication attempts has a fixed maximum
size. Transports such as remote procedure call (RPC) and HTTP rely on the MaxTokenSize value when they allocate buffers for authentication. In Windows
2000 (the original released version), the MaxTokenSize value is 8,000 bytes. In Windows 2000 Service Pack 2 (SP2) and
Microsoft Windows Server 2003, the MaxTokenSize value is 12,000 bytes.
If a user is a member of more
than 120 groups, the buffer that is determined by the MaxTokenSize value is not large enough. As a result, users cannot
authenticate, and they may receive an "out of memory" error message. Before you
apply the hotfix that is described in this article, every group that is added
to a user account increases this buffer by 40 bytes.
NOTE: In many scenarios, Windows NTLM authentication works as
expected; you may not see the Kerberos authentication problem without analysis.
However, scenarios in which Group Policy settings are applied may not work as
expected. RESOLUTIONNote Microsoft Windows Server 2003 and Microsoft Windows XP
Professional include a fix for this problem. Service pack information To resolve this
problem, obtain the latest service pack for Microsoft Windows 2000. For more
information, click the following article number to view the article in the
Microsoft Knowledge Base: 260910 How to obtain the latest Windows 2000 service pack
Hotfix informationA supported hotfix is now available from Microsoft, but it is
only intended to correct the problem that is described in this article. Only
apply it to systems that are experiencing this specific problem. This hotfix
may receive additional testing. Therefore, if you are not severely affected by
this problem, we recommend that you wait for the next Windows 2000 service pack
that contains this hotfix. To resolve this problem immediately,
contact Microsoft Product Support Services to obtain the hotfix. For a complete
list of Microsoft Product Support Services telephone numbers and information
about support costs, visit the following Microsoft Web site: Note In special cases, charges that are ordinarily incurred for
support calls may be canceled if a Microsoft Support Professional determines
that a specific update will resolve your problem. The usual support costs will
apply to additional support questions and issues that do not qualify for the
specific update in question. The English
version of this hotfix has the file attributes (or later file attributes) that
are listed in the following table. The dates and times for these files are
listed in Coordinated Universal Time (UTC). When you view the file information,
it is converted to local time. To find the difference between UTC and local
time, use the Time Zone tab in the Date and Time item in
Control Panel. Date Time Version Size File name
--------------------------------------------------------
26-Sep-2002 11:39 5.0.2195.6069 124,176 Adsldp.dll
26-Sep-2002 11:39 5.0.2195.5781 131,344 Adsldpc.dll
26-Sep-2002 11:39 5.0.2195.5781 62,736 Adsmsext.dll
26-Sep-2002 11:39 5.0.2195.6052 358,160 Advapi32.dll
26-Sep-2002 11:39 5.0.2195.6058 49,424 Browser.dll
26-Sep-2002 11:39 5.0.2195.6012 135,952 Dnsapi.dll
26-Sep-2002 11:39 5.0.2195.6012 96,016 Dnsrslvr.dll
26-Sep-2002 11:39 5.0.2195.5722 45,328 Eventlog.dll
26-Sep-2002 11:39 5.0.2195.6059 146,704 Kdcsvc.dll
05-Sep-2002 14:18 5.0.2195.6048 200,976 Kerberos.dll
21-Aug-2002 05:27 5.0.2195.6023 71,248 Ksecdd.sys
25-Sep-2002 15:01 5.0.2195.6072 507,664 Lsasrv.dll
25-Sep-2002 15:01 5.0.2195.6072 33,552 Lsass.exe
27-Aug-2002 11:53 5.0.2195.6034 108,816 Msv1_0.dll
26-Sep-2002 11:39 5.0.2195.5979 307,472 Netapi32.dll
26-Sep-2002 11:39 5.0.2195.5966 360,720 Netlogon.dll
26-Sep-2002 11:39 5.0.2195.6048 918,800 Ntdsa.dll
26-Sep-2002 11:39 5.0.2195.6025 389,392 Samsrv.dll
26-Sep-2002 11:39 5.0.2195.5951 129,296 Scecli.dll
26-Sep-2002 11:39 5.0.2195.5951 302,864 Scesrv.dll
26-Sep-2002 11:39 5.0.2195.5859 48,912 W32time.dll
04-Jun-2002 10:32 5.0.2195.5859 57,104 W32tm.exe
26-Sep-2002 11:39 5.0.2195.6052 126,224 Wldap32.dll
STATUSMicrosoft
has confirmed that this is a problem in the Microsoft products that are listed
in the "Applies to" section. This problem was first corrected in Microsoft Windows
2000 Service Pack 4.MORE INFORMATION Previously, if users experienced this problem, you had to
adjust the Kerberos MaxTokenSize value to resume operations. To resolve this problem, you had to
update this value on all domain workstations. If you use the hotfix
that is described in this article, you do not have to modify the MaxTokenSize registry value in most cases. However, there are some scenarios
in which you have to modify the MaxTokenSize registry value after you apply this hotfix. After you apply this
hotfix to all the domain controllers, use the following formula to determine
whether you have to modify the MaxTokenSize value:
TokenSize = 1200 + 40d + 8s
This formula uses the following values:
- d: The number of domain local groups a user is a member of
plus the number of universal groups outside the user's account domain plus the
number of groups represented in security ID (SID) history.
- s: The number of security global groups that a user is a
member of plus the number of universal groups in a user's account
domain.
- 1200: The estimated value for ticket overhead. This value
can vary depending on factors such as DNS domain name length, client name, and
other factors.
In scenarios in which delegation is used (for example, when
users authenticate to a domain controller), Microsoft recommends that you
double the token size. If the token size that you calculate by using
this formula is less than 12,000 bytes (the default size), you do not have to
modify the MaxTokenSize registry value on domain clients. If the value is more than
12,000 bytes, see the following Microsoft Knowledge Base article for a
description of how to adjust the MaxTokenSize registry value: 263693 Group Policy may not be applied to users belonging to many groups
For
more information about how to obtain a hotfix for Windows 2000 Datacenter
Server, click the following article number to view the article in the Microsoft
Knowledge Base: 265173
The Datacenter Program and Windows 2000 Datacenter Server product
Modification Type: | Minor | Last Reviewed: | 9/22/2006 |
---|
Keywords: | kbQFE kbHotfixServer kbSecurity kbWin2kSP4fix kbbug kbfix kbWin2000PreSP3Fix kbWin2000preSP4Fix KB327825 |
---|
|