Archives for September 2010

Alka-Seltzer for your Windows Token Bloat

As most Windows administrators know when you logon to any system locally or remotely Windows generates a token that contains a list of security identifiers of all the groups the user belongs to. In large environments or where you have implemented granular role-based security, top-tier users could be a member of hundreds of groups. At some point you will exceed the default token size and experience some problems. Token bloat has struck!

The exact nature of the problem could be minor, or relatively major. You may get weird access denied messages, applications crashing, or strange entries in your event logs. Or worse yet a SID for a group that has a ‘deny permission’ on an object could be dropped into the virtual bit bucket, allowing a user to access a resource they are not supposed to access. Not good! Get ready to grab some Alka-Seltzer and your resume.

Thankfully there are several ways to combat this problem, and make it almost irrelevant for 99.99% of the organizations out there. R-e-l-i-e-f is close at hand. Starting in Windows 2000 SP4 and later the maximum token size was increased from 8,000 bytes to 12,000 bytes. Domain local groups consume 40 bytes per SID, while global and universal groups only consume 8 bytes per SID. There are approximately 400-1,200 bytes of ticket overhead, so worst case tokens will start to break around 270 domain-local groups. 270 can be low in large environments.

Are you thinking what I’m thinking? Let’s dispense with domain local groups and use global or universal groups for everything. Sure that’s an option, but it may not work so well in multi-domain or multi-forest environments. But you can probably do some combination of domain local and global/universal groups so help limit token sizes. If you are a single forest/domain, then domain local groups could likely be dispensed with.

How about a registry hack to increase the 12,000 byte limit to something larger? Sure! That’s a possibility too. If you navigate to HKLMSystemCurrentControlSetControlLSAKerberosParameters you can configure a REG_DWORD value for MaxTokenSize that can go up to 65535, decimal. But the trick is every machine in your forest needs to have this registry key updated, a perfect situation to use a GPO or computer start up script. Before you make this system wide change, do VERY VERY thorough testing with all of your applications.

Finally, a little known fact is that distribution groups (vice security groups) do not add to a user’s token bloat. So if you have email enabled groups that are only used for email and not ACLs on any resources, you can convert those security groups to distribution groups.

Summary of fixes for token bloat:
1) Use global or universal groups instead of domain local.
2) Increase the MaxTokenSize on all computers
3) Convert security groups to distribution groups if they are only used for email lists.

But wait, it’s not all sunshine and roses…more heartburn is on the way. There’s another Windows limitation that you will hit long before you are a member of 8,000+ groups. There is a hard-coded limit of 1,024 SIDs for the Kerberos PAC (privilege attribute certificate). Taking into account the nine default SIDs for any domain user (authenticated users, everyone, etc.) the real limit is 1,015 groups..of any type. If you go over this limit you may see a a logon error stating “the system cannot log you on due to the following error: during a logon attempt the user acquired to many security identifiers.” Oops!!

So the bottom line is the largest value your token size could be is approximately 42,160 bytes (1024 x 40 + 1200). This falls under the 65,536 byte maximum, but far above the 12,000 byte default limit. So if you want to protect yourself against any possible token logon problems increase the maxtokensize to 65,635 and keep group membership to 1,015 groups or less. This impacts both Kerberos and NTLM authentication protocols.

There are some good Microsoft KB articles that talk about this problem which are worth checking out. They are: 906208, 263693, and 327825. Microsoft also wrote a very detailed white paper on access token limitations you can download here. Microsoft also has a token size troubleshooting utility (tokensz) you can download here. Before you go changing any registry keys thoroughly read all of these resources.

© 2017 - Sitemap