02 Apr 2013

How the Kerberos token size can affect WinRM and other Kerberos based services

It’s like a little but really mean ghost which seems to follow me over all my IT career, it’s called “kerberos token”. I’ve debugged a lot of kerberos errors the last years, but the overall evergreen is a parameter called “MaxTokenSize”. Depending on the Windows OS version it has a default value of 12’000 bytes(WinXP,Vista,Win7) and 48’000 bytes (Win8). The kerberos token size grows depending on the following facts:

  • Amount of direct and indirect Domain group memberships
  • Whether user has or has not a SID history and if so, the number of entries
  • Authentication method (username/password or multifactor like Smart Cards)
  • User is enabled for Kerberos delegation

You can “calculate” or in other, better words, “estimate” the kerberos token size with the following formula. (Quoted from: KB327825)

TokenSize = 1200 + 40d + 8s

This formula uses the following values:

  • d: The number of domain local groups a user is a member of plus the number of universal groups outside the user’s account domain that the user is a member of plus the number of groups represented in security ID (SID) history.
  • s: The number of security global groups that a user is a member of plus the number of universal groups in a user’s account domain that the user is a member of.
  • 1200: The estimated value for ticket overhead. This value can vary, depending on factors such as DNS domain name length, client name, and other factors.

Things that may occur, if the size exceeds the OS defined values:

  • Domain Join does not work (“not enough storage to perform this operation“, and other possible weird error messages)
  • Kerberos delegation fails
  • Access and single sign on to kerberos enabled services fails and NTLM fall back is showing a logon pop up box
  • WinRM / Remote Powershell sessions fail to establish with the following error: “The WinRM client cannot process the request. It cannot determine the content type of the HTTP response from the destination computer

 How to increase the default values?

(Requires a reboot after modification)
The supported max value is 65335. However you should consider methods to reduce the token size, rather than use the max value everywhere.

**For basic services
** Add the following Registry Key to all your Windows clients and servers

New-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\LSA\Kerberos\Parameters -Name "MaxTokenSize" -Value 65335 -PropertyType "DWORD"

**For WinRM / Remote Powershell and other HTTP based services
** Add the following Registry value to all your servers

New-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\HTTP\Parameters -Name "MaxFieldLength" -Value 65335 -PropertyType "DWORD" New-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\HTTP\Parameters -Name "MaxRequestBytes" -Value 40000 -PropertyType "DWORD"


Other useful resources:

(Quoted from ShaneC33’s Blog)

How to use Group Policy to add the MaxTokenSize registry entry to multiple computers


New resolution for problems with Kerberos authentication when user belongs to many groups

“HTTP 400 – Bad Request (Request Header too long)” error in Internet Information Services (IIS)

Users who are members of more than 1,015 groups may fail logon authentication

Group Policy may not be applied to users belonging to many groups