Windows – Kerberos Token Max

Who don’t love Kerberos?

It is a computer network authentication protocol which works on the basis of ‘tickets’ to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.

Remember if you have a web based application you might need to set the MAX token size to increase the max tokens to allow User Authentication.

Steps I follow:


Kerberos Token Max

How to reduce Kerberos token bloat

To reduce the Kerberos Ticket Size you can:

  • Reduce/consolidate group membership
  • Clean up SID History
  • Limit the number of users that are configured to use “trusted for delegation”. The account that are configured to use “trusted   for delegation” the buffer requirements for each SID may double. How to prevent Kerberos login errors due to token bloat To use this parameter:
  •   To allow a user to be a member of more than 900 groups you can increase the size of the MaxTokenSize by modify the following registry key on all workstations.
  1. Start Registry Editor (Regedt32.exe).
  2. Locate and click the following key in the registry: System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
  3. If this key is not present, create the key. To do so:
  1. Click the following key in the registry: System\CurrentControlSet\Control\Lsa\Kerberos
  2. On the Edit menu, click Add Key.
  3. Create a Parameters
  4. Click the new Parameters
    1. On the Edit menu, click Add Value, and then add the following registry value: Value name: MaxTokenSize Data type: REG_DWORD Radix: Decimal Value data: 48000
    2. Quit Registry Editor.




Privacy Preference Center