Submit a ticketCall us

whitepaperYour VM Perplexities Called, and They Need You to Read This.

Virtualization can give you enormous flexibility with future workloads and can be a key enabler for other areas, like cloud computing and disaster recovery. So, how can you get a handle on the performance challenges in your virtual environment and manage deployments without erasing the potential upside? Learn the four key areas you need to be focusing on to help deliver a healthy and well-performing data center.

Get your free white paper.

Home > Success Center > Access Rights Manager (ARM) formerly 8MAN > ARM - Knowledgebase Articles > Performance issues with Kerberos token size in ARM

Performance issues with Kerberos token size in ARM

Updated November 8, 2018

Overview

This article details an issue in which there are problems with the Kerberos Token size. Users may observe the following symptoms:

  • Users cannot log in to the system
  • Users report that authentication to individual services no longer works
  • Users report that authentication works on their own domain, but they do not use services from a foreign domain

Environment

  • Access Rights Manager

Cause

  • Due to too many group memberships, the Kerberos token becomes too big. 
    • In Windows Server 2008 R2 or Windows 7 and earlier, the token size is limited to 12,000 bytes. 
    • As of Windows Server 2012 and Windows 8, this value is set to 48,000 Bye.
  • Calculation of the token size 1.200 + 40d + 8s, where d stands for the addition of domain-specific local groups as well as non-domain universal groups, s stands for the sum of all global groups and domain-specific universal groups
  • Depending on company size and AD structure, the number of group memberships may exceed the existing space in the Kerberos token. 
    • For this purpose, a 1:1 relationship between resource and AD group is established, so a resource group grants permissions to one member for exactly one resource.
    • When several folder permissions and/or permissions are given to list, the number of group memberships increases as well. Each membership requires a certain amount of space in the token, with domain-local and foreign universal groups consuming 40 bytes and global and universal groups consuming 8 bytes.
    • In total, the value of 12,000 bytes (Server 2008 R2, Windows 7 and older) must not be exceeded, otherwise, there are various authentication problems, for example, single sign-on.

Resolution

  • Remove external trusts
    • Change the domain-local permission group to universal groups
    • If the ARM group wizard is used, the operating mode must also be adjusted.
  • Increase the token size on all computers in the domain
    • For instructions on setting up a GPO, see How to use Group Policy to add the MaxTokenSize registry entry to multiple computers.
      Disclaimer: Please note, any content posted herein is provided as a suggestion or recommendation to you for your internal use. This is not part of the SolarWinds software or documentation that you purchased from SolarWinds, and the information set forth herein may come from third parties. Your organization should internally review and assess to what extent, if any, such custom scripts or recommendations will be incorporated into your environment.  You elect to use third party content at your own risk, and you will be solely responsible for the incorporation of the same, if any.
    • All devices, including servers and clients, must be rebooted.

 

 

 
Last modified

Tags

Classifications

Internal Use Only