The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 4,184 other subscribers

Windows security Token Bloat

Posted by jpluimers on 2014/01/13

This can happen when your Windows Security Token bloat has struck:

… the problem could be minor, or relatively major. You may get weird access denied messages, applications crashing, or strange entries in your event logs. Or worse yet a SID for a group that has a ‘deny permission’ on an object could be dropped into the virtual bit bucket, allowing a user to access a resource they are not supposed to access.

Summary of fixes for token bloat:

  1. Use global or universal groups instead of domain local.
  2. Increase the MaxTokenSize on all computers
  3. Convert security groups to distribution groups if they are only used for email lists.

There is a hard-coded limit of 1,024 SIDs for the Kerberos PAC (privilege attribute certificate)

Kerberos token size still remain to 64k in windows7 / win2008r2.

This is what UWWI did to avoid token bloat: UWWI Token Bloat – IAM – UW Information Technology Wiki.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: