Internet Explorer logon fails due to an insufficient buffer for Kerberos (277741)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional
This article was previously published under Q277741
Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry

SYMPTOMS

During the process of connecting to an Internet Information Server (IIS) server configured for Windows 2000 authentication, the user is presented with the Enter Network Password dialogue box. The user attempts to log on. The credentials are requested and supplied, and then the following error page is displayed, even though the credentials are valid:
You are not authorized to view this page. You do not have permission to view this directory or page using the credentials you supplied.

CAUSE

The credentials are valid and can be utilized to access the same system through the Windows NT Server service through the net use command. However, Wininet may fail to allocate a sufficient buffer for containing the user's Kerberos token. This may occur if the user is a member of more than 100 groups, for example.

RESOLUTION

This problem involves an Internet Explorer wininet buffering problem. To resolve this problem, apply either the following hotfix, Windows 2000 Service Pack 2 (SP2) or an Internet Explorer update, and then set the MaxTokenSize registry parameter (described in the "More Information" section of this article) on all client computers.

A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Only apply it to systems that are experiencing this specific problem. This hotfix may receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next Windows 2000 service pack that contains this hotfix.

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

Note In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question. The English version of this fix should have the following file attributes or later:
   Date        Time    Version      Size    File name
   --------------------------------------------------
   10/13/2000  04:35p 5.0.3210.1300 459,536 Wininet.dll

WORKAROUND

Reduce the number of groups that the user is a member of.

STATUS

Microsoft has confirmed that this is a problem in Microsoft Windows 2000.

MORE INFORMATION

For more information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the following article number to view the article in the Microsoft Knowledge Base:

249149 Installing Microsoft Windows 2000 and Windows 2000 hotfixes

Note The hotfix described in the "Resolution" section of this article supersedes the hotfix originally provided in the following Microsoft Knowledge Base article:

269643 Internet Explorer Kerberos authentication does not work because of an insufficient buffer connecting to IIS

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
This hotfix provides a registry parameter that you can use to increase the Kerberos token size. For example, increasing the token to 65 KB will allow a user to be present in more than 900 groups. Due to the associated security identifier (SID) information, this number may vary.

Perform the following in order to set this parameter:
  1. Start Registry Editor (Regedt32.exe).
  2. Locate and click the following registry setting:

    System\\CurrentControlSet\\Control\\Lsa\\Kerberos\Parameters

  3. On the Edit menu, click Add Value, and then add the following registry value:

    Value name: MaxTokenSize
    Data type: REG_DWORD
    Radix: Decimal
    Value data: 65535

  4. Quit Registry Editor.
The default value for MaxTokenSize is 12000 decimal. Microsoft recommends that you set this value to 65535 decimal, FFFF hexadecimal. If you set this value incorrectly to 65535 hexadecimal (an extremely large value) Kerberos authentication operations may fail, and programs will return errors. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

297869 SMS Administrator issues after you modify the Kerberos MaxTokenSize registry value

After you set the value and the computer is updated, restart the computer. Although you must update the domain controllers individually, you can use Group Policy settings to set this value for client computers that have also been updated. You must configure all client systems and servers in the domain with this registry modification and update the systems with Windows 2000 SP2 or the hotfixes.

For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

313661 FIX: Error message: "Timeout Expired" occurs when you connect to SQL Server over TCP/IP and the Kerberos MaxTokenSize is greater than 0xFFFF

300367 DCOM Client may put memory on the wire

For more information on Kerberos token size configuration and support in Windows 2000, click the following article number to view the article in the Microsoft Knowledge Base:

263693 Group Policy may not be applied to users belonging to many groups

Steps to Reproduce Behavior

  1. Create a Windows NT account.
  2. Make sure that Active Directory is installed and Integrated Authentication is configured.
  3. Add the account to approximately 100 different groups.
  4. Create a second account and add it to three of the groups.
Results:

The first account cannot browse via http://<servername>, but the second account can.

Note The following script using Creategroup.vbs from the reskit was used to reproduce the problem: 

CreateGroup.vbs from the resource kit is a viable method for doing so.
creategroup LDAP: DC=Domain,DC=Org,DC=Company,DC=com GroupName1
CN=administrator,CN=Users,DC=Domain,DC=Org,dc=Company,dc=com password
creategrp.log
...

Modification Type:MinorLast Reviewed:1/23/2006
Keywords:kbHotfixServer kbbug kbfix kbQFE KB277741
©2004 Microsoft Corporation. All rights reserved.