Discussion:
MaxtokenSize Reached
(too old to reply)
josé
2009-09-07 14:33:02 UTC
Permalink
Hello all,

We have issues with Outlook not able to open for some users that are member
of to large groups (~390).

The exact symptoms are :

1. "outlook can not connect to exchange servers" appearing in the right pane
of outlook.

2. In the system eventlog of the user computer, there are several Warning
eventID 6 related to kerberos pb . See:
http://support.microsoft.com/kb/935744 for details.

3. tokensz command launched against the user shows:
Name: Negotiate Comment: Microsoft Package Negotiator
Current PackageInfo->MaxToken: 12128
Status = 2148074240 0x80090300 SEC_E_INSUFFICIENT_MEMORY

4. those users have no pb accessing resources share on file servers.

The immediate solution was to raise the maxtokensize to 65535.

Results:
The tokensz shows now the following results:
Name: Negotiate Comment: Microsoft Package Negotiator
Current PackageInfo->MaxToken: 65663
MaxTokenSize (incomplete context): 12372

The user can now open his outlook with success.

Question:
I have a doubt where to apply the reg: is it on the exchange serverside or
on the user's box side ? I apply the reg on the user's computer because i
presumed that the pb WAS on the user's box due to the evenit 6 appearing. Am
i right or wrong ?

Thanx for clarification :)

Jose.
rishicool2002
2009-09-07 18:00:24 UTC
Permalink
Jose,
You did the right thing by applying the registry only the clien
computer. This registry key is created on the machine, where th
Kerberos events are logged.
KB:935744, has complete explanation on this.

Regards,
Rishi
Microsoft Server Support (Directory Services

--
rishicool200
-----------------------------------------------------------------------
rishicool2002's Profile: http://forums.techarena.in/members/114615.ht
View this thread: http://forums.techarena.in/active-directory/1243111.ht

http://forums.techarena.i
josé
2009-09-08 12:21:01 UTC
Permalink
Hello Rishi :)

Last question:

What is your opinion on this:
1. We install the registry on all computers & servers.
2. We install the registry ONLY on computers that have the eventID 6.

Thank you.
Jose,
You did the right thing by applying the registry only the client
computer. This registry key is created on the machine, where the
Kerberos events are logged.
KB:935744, has complete explanation on this.
Regards,
Rishi
Microsoft Server Support (Directory Services)
--
rishicool2002
------------------------------------------------------------------------
rishicool2002's Profile: http://forums.techarena.in/members/114615.htm
View this thread: http://forums.techarena.in/active-directory/1243111.htm
http://forums.techarena.in
Paul Bergson [MVP-DS]
2009-09-08 12:49:22 UTC
Permalink
Yes you can increase the token size but I would look at why you have such a
token bloat issue. As the token increases logon times are going to
increase, etc... I would work to reduce the size, Microsoft made it the
size that it is for a reason. You are using to many groups, I don't see why
anyone should belong to 390 groups, that is the real problem here.
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.
Post by josé
Hello Rishi :)
1. We install the registry on all computers & servers.
2. We install the registry ONLY on computers that have the eventID 6.
Thank you.
Jose,
You did the right thing by applying the registry only the client
computer. This registry key is created on the machine, where the
Kerberos events are logged.
KB:935744, has complete explanation on this.
Regards,
Rishi
Microsoft Server Support (Directory Services)
--
rishicool2002
------------------------------------------------------------------------
rishicool2002's Profile: http://forums.techarena.in/members/114615.htm
View this thread: http://forums.techarena.in/active-directory/1243111.htm
http://forums.techarena.in
josé
2009-09-08 12:55:01 UTC
Permalink
Thank u :)
Post by Paul Bergson [MVP-DS]
Yes you can increase the token size but I would look at why you have such a
token bloat issue. As the token increases logon times are going to
increase, etc... I would work to reduce the size, Microsoft made it the
size that it is for a reason. You are using to many groups, I don't see why
anyone should belong to 390 groups, that is the real problem here.
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.
Post by josé
Hello Rishi :)
1. We install the registry on all computers & servers.
2. We install the registry ONLY on computers that have the eventID 6.
Thank you.
Jose,
You did the right thing by applying the registry only the client
computer. This registry key is created on the machine, where the
Kerberos events are logged.
KB:935744, has complete explanation on this.
Regards,
Rishi
Microsoft Server Support (Directory Services)
--
rishicool2002
------------------------------------------------------------------------
rishicool2002's Profile: http://forums.techarena.in/members/114615.htm
View this thread: http://forums.techarena.in/active-directory/1243111.htm
http://forums.techarena.in
josé
2009-09-08 15:36:01 UTC
Permalink
Very last question :)

in my previous command:

Name: Negotiate Comment: Microsoft Package Negotiator
Current PackageInfo->MaxToken: 65663
MaxTokenSize (incomplete context): 12372

12372 : is it the user's Token ?

many thx.
Post by josé
Thank u :)
Post by Paul Bergson [MVP-DS]
Yes you can increase the token size but I would look at why you have such a
token bloat issue. As the token increases logon times are going to
increase, etc... I would work to reduce the size, Microsoft made it the
size that it is for a reason. You are using to many groups, I don't see why
anyone should belong to 390 groups, that is the real problem here.
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.
Post by josé
Hello Rishi :)
1. We install the registry on all computers & servers.
2. We install the registry ONLY on computers that have the eventID 6.
Thank you.
Jose,
You did the right thing by applying the registry only the client
computer. This registry key is created on the machine, where the
Kerberos events are logged.
KB:935744, has complete explanation on this.
Regards,
Rishi
Microsoft Server Support (Directory Services)
--
rishicool2002
------------------------------------------------------------------------
rishicool2002's Profile: http://forums.techarena.in/members/114615.htm
View this thread: http://forums.techarena.in/active-directory/1243111.htm
http://forums.techarena.in
Paul Bergson [MVP-DS]
2009-09-08 20:24:11 UTC
Permalink
No, I believe that to be only what could be sent, hence the "Incomplete"
verbage.

http://www.microsoft.com/downloads/details.aspx?FamilyID=4a303fa5-cf20-43fb-9483-0f0b0dae265c&DisplayLang=en
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.
Post by josé
Very last question :)
Name: Negotiate Comment: Microsoft Package Negotiator
Current PackageInfo->MaxToken: 65663
MaxTokenSize (incomplete context): 12372
12372 : is it the user's Token ?
many thx.
Post by josé
Thank u :)
Post by Paul Bergson [MVP-DS]
Yes you can increase the token size but I would look at why you have such a
token bloat issue. As the token increases logon times are going to
increase, etc... I would work to reduce the size, Microsoft made it the
size that it is for a reason. You are using to many groups, I don't see why
anyone should belong to 390 groups, that is the real problem here.
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.
Post by josé
Hello Rishi :)
1. We install the registry on all computers & servers.
2. We install the registry ONLY on computers that have the eventID 6.
Thank you.
Jose,
You did the right thing by applying the registry only the client
computer. This registry key is created on the machine, where the
Kerberos events are logged.
KB:935744, has complete explanation on this.
Regards,
Rishi
Microsoft Server Support (Directory Services)
--
rishicool2002
------------------------------------------------------------------------
http://forums.techarena.in/members/114615.htm
http://forums.techarena.in/active-directory/1243111.htm
http://forums.techarena.in
josé
2009-09-09 07:54:01 UTC
Permalink
Understood.

Thanx
Post by Paul Bergson [MVP-DS]
No, I believe that to be only what could be sent, hence the "Incomplete"
verbage.
http://www.microsoft.com/downloads/details.aspx?FamilyID=4a303fa5-cf20-43fb-9483-0f0b0dae265c&DisplayLang=en
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.
Post by josé
Very last question :)
Name: Negotiate Comment: Microsoft Package Negotiator
Current PackageInfo->MaxToken: 65663
MaxTokenSize (incomplete context): 12372
12372 : is it the user's Token ?
many thx.
Post by josé
Thank u :)
Post by Paul Bergson [MVP-DS]
Yes you can increase the token size but I would look at why you have such a
token bloat issue. As the token increases logon times are going to
increase, etc... I would work to reduce the size, Microsoft made it the
size that it is for a reason. You are using to many groups, I don't see why
anyone should belong to 390 groups, that is the real problem here.
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.
Post by josé
Hello Rishi :)
1. We install the registry on all computers & servers.
2. We install the registry ONLY on computers that have the eventID 6.
Thank you.
Jose,
You did the right thing by applying the registry only the client
computer. This registry key is created on the machine, where the
Kerberos events are logged.
KB:935744, has complete explanation on this.
Regards,
Rishi
Microsoft Server Support (Directory Services)
--
rishicool2002
------------------------------------------------------------------------
http://forums.techarena.in/members/114615.htm
http://forums.techarena.in/active-directory/1243111.htm
http://forums.techarena.in
Loading...