Export (0) Print
Expand All
2 out of 3 rated this helpful - Rate this topic

Additional Resources for Troubleshooting Kerberos

Updated: March 2, 2005

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

For additional information about troubleshooting Kerberos problems, see the following resources:

General resources

  • Introduction to Support Tools on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkID=38906)

  • Using Ldp.exe to Find Data in the Active Directory on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=23064)

  • Ldifde on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkID=42656)

  • Setspn.exe: Manipulate Service Principal Names for Accounts on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=43030)

  • Troubleshooting Kerberos Errors (http://www.microsoft.com/downloads/details.aspx?familyid=7dfeb015-6043-47db-8238-dc7af89c93f1&displaylang=en)

  • Tokensz.exe on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=42933)

  • Kerberos protocol registry entries and KDC configuration keys in Windows Server 2003 in Microsoft Knowledge Base article 837361 (http://support.microsoft.com/default.aspx?scid=kb;EN-US;837361)

  • Http.sys registry settings for IIS in Microsoft Knowledge Base article 82019 (http://support.microsoft.com/kb/820129)

  • Kerberos protocol registry entries that are defined under the Parameters subkey in Windows Server 2003, Windows XP, and Windows 2000 in Microsoft Knowledge Base article 244556 (http://support.microsoft.com/default.aspx?scid=kb;EN-US;244556)

Kerberos Authentication and Ticket Sizing Issues

  • Addressing Problems Due to Access Token Limitation (http://www.microsoft.com/downloads/details.aspx?familyid=22DD9251-0781-42E6-9346-89D577A3E74A&displaylang=en)

  • New resolution for problems with Kerberos authentication when users belong to many groups in Microsoft Knowledge Base article 327825 (http://support.microsoft.com/default.aspx?scid=kb;EN-US;327825)

  • How to use Group Policy to add the MaxTokenSize registry entry to multiple computers on a domain controller that is running Windows Server 2003 or that is running Windows 2000 in Microsoft Knowledge Base article 938118 (http://support.microsoft.com/default.aspx?scid=kb;EN-US;938118).

  • Event ID 1053 is logged when you use the "Gpupdate /force" command, or you restart a Windows Server 2003-based domain controller in Microsoft Knowledge Base article 937535  (http://support.microsoft.com/default.aspx?scid=kb;EN-US;937535)

  • Error message when you use a Windows Server 2003-based domain controller to join a Windows XP-based client computer to a domain: "Not enough storage is available to complete this operation" in Microsoft Knowledge Base article 935744  (http://support.microsoft.com/default.aspx?scid=kb;EN-US;935744)

  • Domain join during an unattended setup fails with an unexpected error message in computers that are running Windows 2000, Windows XP, or Windows Server 2003 in Microsoft Knowledge Base article 920599  (http://support.microsoft.com/default.aspx?scid=kb;EN-US;920599)

  • You may receive an error message when you try to connect to an instance of SQL Server or SQL Server Desktop Engine by using Windows Authentication in Microsoft Knowledge Base article 867581  (http://support.microsoft.com/default.aspx?scid=kb;EN-US;867581)

  • "The information store could not be opened" error message when you try to retrieve the client permissions of a public folder in Exchange 2003 in Microsoft Knowledge Base article 842019  (http://support.microsoft.com/default.aspx?scid=kb;EN-US;842019)

  • The Mobile Information Server Message Processor crashes when a user tries to use Outlook Mobile Access in Microsoft Knowledge Base article 819529 (http://support.microsoft.com/default.aspx?scid=kb;EN-US;819529)

  • How to troubleshoot server ActiveSync HTTP error codes in Microsoft Knowledge Base article 330463 (http://support.microsoft.com/default.aspx?scid=kb;EN-US;330463)

  • How to troubleshoot inter-forest sIDHistory migration with ADMTv2 in Microsoft Knowledge Base article 322970 (http://support.microsoft.com/default.aspx?scid=kb;EN-US;322970)

  • DCOM Client May Put Memory on the Wire in Microsoft Knowledge Base article 300367  (http://support.microsoft.com/default.aspx?scid=kb;EN-US;300367)

  • SMS administrator issues after you modify the Kerberos MaxTokenSize registry value in Microsoft Knowledge Base article 297869 (http://support.microsoft.com/default.aspx?scid=kb;EN-US;297869)

  • Kerberos authentication may not work if user is a member of many groups in Microsoft Knowledge Base article 280830 (http://support.microsoft.com/default.aspx?scid=kb;EN-US;280830)

  • Internet Explorer logon fails due to an insufficient buffer for Kerberos in Microsoft Knowledge Base article 277741  (http://support.microsoft.com/default.aspx?scid=kb;EN-US;277741)

  • Internet Explorer Kerberos authentication does not work because of an insufficient buffer connecting to IIS in Microsoft Knowledge Base article 269643 (http://support.microsoft.com/default.aspx?scid=kb;EN-US;269643)

  • Group Policy may not be applied to users belonging to many groups in Microsoft Knowledge Base article 263693 (http://support.microsoft.com/default.aspx?scid=kb;EN-US;263693)

  • How to use SPNs when you configure Web applications that are hosted on IIS 6.0 in Microsoft Knowledge Base article 929650 (http://support.microsoft.com/default.aspx?scid=kb;EN-US;929650)

  • FIX: Error Message: "Timeout expired" Occurs When You Connect to SQL Server Over TCP/IP and the Kerberos MaxTokenSize is Greater Than 0xFFFF in Microsoft Knowledge Base article 313661 (http://support.microsoft.com/default.aspx?scid=kb;EN-US;313661)

  • FIX: You receive an "Error 413" error message when you try to log on to Site Builder by clicking to select the "Login as <CurrentUser>" check box in Content Management Server 2001 in Microsoft Knowledge Base article 867431  (http://support.microsoft.com/default.aspx?scid=kb;EN-US;867431)

  • INF: List of Bugs Fixed by SQL Server 7.0 Service Packs in Microsoft Knowledge Base article 313980 (http://support.microsoft.com/default.aspx?scid=kb;EN-US;313980)

Web applications and services, such as Internet Explorer, Internet Information Server, and Outlook Web Access may require additional Kerberos maximum settings adjusted, which are discussed in the following articles:

  • MaxBufferedSendBytes – Used to resolve slow performance when Internet Server Application Programming Interface (ISAPI) applications or Common Gateway Interface (CGI) applications are hosted on Microsoft Internet Information Services (IIS) 6.0, as described in Microsoft Knowledge Base article 906977 (http://support.microsoft.com/kb/906977/)

  • MaxClientRequestBuffer, MaxFieldLength, and MaxRequestBytes – Used to resolve HTTP 400 Bad Request (Request Header Too Long) errors, as described in Microsoft Knowledge Base article 920862 (http://support.microsoft.com/kb/920862).

  • MaxPacketSize – Used to resolve Kerberos failures that results in “There are currently no logon servers available to service the logon request” error messages, as described in Microsoft Knowledge Base article (http://support.microsoft.com/kb/244474).

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.