Discussion:
MaxTokenSize
(too old to reply)
DJ Jazzy Geoff
2007-08-28 16:11:21 UTC
Permalink
Hello all !

I've got a issue that seems to be related to a user having a 'too large
of a token' due to group membership. Right now the only place this is
manifesting itself is when logging into OWA (we've increased the
MaxTokenSize reg key on all internal machines). I've set the registry
key to allow for a token size of 65535 on the OWA webserver, but the
user still has the issue.

Thoughts?

G
Mathieu CHATEAU
2007-08-28 16:31:03 UTC
Permalink
Hello,

you can use this tool to calculate your token size:
Tokensz
http://www.microsoft.com/downloads/details.aspx?FamilyID=4a303fa5-cf20-43fb-9483-0f0b0dae265c&DisplayLang=en

How many security groups is it member of ?
--
Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com
Post by DJ Jazzy Geoff
Hello all !
I've got a issue that seems to be related to a user having a 'too large
of a token' due to group membership. Right now the only place this is
manifesting itself is when logging into OWA (we've increased the
MaxTokenSize reg key on all internal machines). I've set the registry
key to allow for a token size of 65535 on the OWA webserver, but the
user still has the issue.
Thoughts?
G
DJ Jazzy Geoff
2007-08-28 17:24:38 UTC
Permalink
100+ groups

Name: Negotiate Comment: Microsoft Package Negotiator
Current PackageInfo->MaxToken: 65663

MaxTokenSize (incomplete context): 10958
Post by Mathieu CHATEAU
Hello,
Tokensz
http://www.microsoft.com/downloads/details.aspx?FamilyID=4a303fa5-cf20-43fb-9483-0f0b0dae265c&DisplayLang=en
How many security groups is it member of ?
Mathieu CHATEAU
2007-08-28 17:37:43 UTC
Permalink
100+ directly member or nested groups ?

That wouldn't be an issue.
What make you think your problem is a token size one?
--
Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com
Post by DJ Jazzy Geoff
100+ groups
Name: Negotiate Comment: Microsoft Package Negotiator
Current PackageInfo->MaxToken: 65663
MaxTokenSize (incomplete context): 10958
Post by Mathieu CHATEAU
Hello,
Tokensz
http://www.microsoft.com/downloads/details.aspx?FamilyID=4a303fa5-cf20-43fb-9483-0f0b0dae265c&DisplayLang=en
How many security groups is it member of ?
DJ Jazzy Geoff
2007-08-29 12:35:31 UTC
Permalink
Looks like it's sIDHistory that's exploding the token size.
Post by Mathieu CHATEAU
100+ directly member or nested groups ?
That wouldn't be an issue.
What make you think your problem is a token size one?
Mathieu CHATEAU
2007-08-29 18:48:04 UTC
Permalink
Hello,

did you migrate them through ADMT from another forest ?
sid history is not meant to last for a long time
--
Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com
Post by DJ Jazzy Geoff
Looks like it's sIDHistory that's exploding the token size.
Post by Mathieu CHATEAU
100+ directly member or nested groups ?
That wouldn't be an issue.
What make you think your problem is a token size one?
DJ Jazzy Geoff
2007-08-29 21:24:07 UTC
Permalink
upon further investigation, it's not sIDHistory. It seems to be
incorrect deployment of the MaxTokenSize reg key, and very poor group
nesting done by some admins
Post by Mathieu CHATEAU
Hello,
did you migrate them through ADMT from another forest ?
sid history is not meant to last for a long time
Loading...