Event ID 6 — Privilege Attribute Certificate Configuration
Updated: December 16, 2008
Applies To: Windows Server 2008 R2
The Kerberos Privilege Attribute Certificate (PAC) contains all of the group memberships for the security principal requesting access to a resource. This certificate is transferred to the client by using the Key Distribution Center (KDC).
|Product:||Windows Operating System|
|Message:||The kerberos SSPI package generated an output token of size %1 bytes, which was too large to fit in the token buffer of size %2 bytes, provided by process id %3.
The output SSPI token being too large is probably the result of the user %4 being a member of a large number of groups.
It is recommended to minimize the number of groups a user belongs to. If the problem can not be corrected by reduction of the group memberships of this user, please contact your system administrator to increase the maximum token size, which in term is configured machine-wide via the following registry value: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\MaxTokenSize.
Increase the maximum token size
The Privilege Attribute Certificate (PAC) contains various types of authorization data including groups that the user is a member of, rights the user has, and what policies apply to the user. When the client receives a ticket, the information contained in the PAC is used to generate the user's access token. If the user is a member of many groups, the PAC might exceed the preallocated buffer size.
Possible resolutions include:
- Reduce the user's group membership.
- Increase the maximum token size.
To perform these procedures, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.
Reduce the user's group membership
You can reduce the user's group membership by using Active Directory Users and Computers to remove the user from groups. The name of the group is identified in the event log message.
Note: Nested group memberships are expanded before they are written to the PAC. Because of this, the actual number of groups that the user is a member of might be more than than it appears to be.
To remove a user account from a group by using Active Directory Users and Computers:
- Log on to a computer that has Active Directory Users and Computers installed. It is installed by default on a domain controller.
- Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
- Locate the user account object. By default, user account objects are created in the Users organizational unit.
- Right-click the user account object, and then click Properties.
- Click the Member Of tab.
- Click the group that you want to remove, and then click Remove.
- Click Yes, confirming that the user account should be removed from this group.
- Repeat steps 6 and 7 for each group that should be removed.
- Close Active Directory Users and Computers.
Increase the maximum token size
To increase the maximum token size:
Caution: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.
- Log on to the Key Distribution Center (KDC) server.
- Click Start.
- In the Start Search box, type regedit, and then press ENTER.
- If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
- Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters.
- Right-click Parameters, point to New, and then click DWORD (32-bit) Value.
- Name the registry entry MaxTokenSize.
- Right-click MaxTokenSize, and then click Modify.
- Under Base, click Decimal.
- Type 65535, and then click OK.
- Close Registry Editor.
- Restart the computer.
- Repeat steps 1-12 for each KDC in your domain.
To verify that the Kerberos Privilege Attribute Certificate (PAC) is present and functioning correctly, you should ensure that a Kerberos ticket was received from the Key Distribution Center (KDC) and cached on the local computer. You can view cached Kerberos tickets on the local computer by using the Klist command-line tool.
Note: Klist.exe is not included with Windows Vista, Windows Server 2003, Windows XP, or Windows 2000. You must download and install the Windows Server Resource Kit before you can use Klist.exe.
To view cached Kerberos tickets by using Klist:
- Log on to a Kerberos client computer within your domain.
- Click Start, point to All Programs, click Accessories, and then click Command Prompt.
- Type klist tickets, and then press ENTER.
- Verify that a cached Kerberos ticket is available.
- Ensure that the Client field displays the client on which you are running Klist.
- Ensure that the Server field displays the domain in which you are connecting.
- Close the command prompt.