Issue:
When a user is a member of to many groups the following error may be recorded in the System Event Log
Source: Kerberos
Event ID: 6
Type: Warning
Description:
The Kerberos SSPI package generated an output token of size 2F49 bytes, which was too large to fit in the 2F48 buffer buffer provided by process id 0. If the condition persists, please contact your system administrator.
Other symptoms of being a member of too many groups are:
1) Internet Explorer reports “The page connect be displayed” error for sites that use Kerberos authentication.
2) Group policy does not apply for the affected users.
In some cases the Kerberos Event ID 6 is recorded in the System Event Log, in other cases other errors or no error is given as to what the problem may be.
Cause:
The Kerberos token has a fixed size. If a user is a member of a group directly or through group nesting, the security ID (SID) for that group is added to the user's token. Once a SID is added to the user’s token it is passed via the Kerberos token during each authentication. If the required SID information exceeds the size of the token, authentication does not succeed. The number of groups varies, but the limit is approximately 150-250 groups.
Solution:
A registry parameter is available that will allow you to increase the Kerberos token size. For example, increasing the token size to 64 KB (65,535 bytes) allows a user to be a member of more than 900 groups. Because of the associated SID information, this number may vary.
To configure this parameter you should do the following on every Domain Controller and every server / workstation in the Domain.
1) Start Registry Editor (Regedit.exe).
2) Locate and click the following key in the registry:
a. HKLM\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
3) If the Parameters key is not present, create the key. To do so:
a. Click the following key in the registry:
b. HKLM\System\CurrentControlSet\Control\Lsa\Kerberos
i. On the Edit menu, click Add Key.
ii. Create a Parameters key.
iii. Click the new Parameters key.
4) On the Edit menu, click Add Value, and then add the following registry value:
a. Value name: MaxTokenSize
b. Data type: REG_DWORD
c. Radix: Decimal
d. Value data: 65,535
5) Quit Registry Editor.
6) In Windows 2000 (the original released version), the MaxTokenSize value is 8,000 bytes. In Windows 2000 Service Pack 2 (SP2) and Microsoft Windows Server 2003, the MaxTokenSize value is 12,000 bytes.
a. Microsoft recommends that you set this value to 65,535 decimal (0xFFFF hexadecimal). If you set this value incorrectly to greater than 65,535 decimal Kerberos authentication operations may fail, and programs may return errors.
More Information:
New resolution for problems with Kerberos authentication when users belong to many groups
http://support.microsoft.com/kb/327825
Internet Explorer logon fails due to an insufficient buffer for Kerberos
http://support.microsoft.com/kb/277741/
Group Policy may not be applied to users belonging to many groups
http://support.microsoft.com/kb/263693/
SMS administrator issues after you modify the Kerberos MaxTokenSize registry value
http://support.microsoft.com/kb/297869/
Kerberos protocol registry entries and KDC configuration keys in Windows Server 2003
http://support.microsoft.com/kb/837361/
How to force Kerberos to use TCP instead of UDP in Windows Server 2003, in Windows XP, and in Windows 2000
http://support.microsoft.com/kb/244474
Troubleshooting Kerberos Errors
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx
How to configure IIS to support both the Kerberos protocol and the NTLM protocol for network authentication
http://support.microsoft.com/kb/215383/