Total Pageviews

Showing posts with label How to reduce Kerberos token bloat. Show all posts
Showing posts with label How to reduce Kerberos token bloat. Show all posts

Tuesday, March 12, 2019

Kerberos Token Bloat (MaxTokenSize)

How to reduce Kerberos token bloat
To reduce the Kerberos Ticket Size you can:
  •  Reduce group membership(No need to reduce DLs , Mostly security groups)
  • Clean up SID History
  • Limit the number of users that are configured to use "trusted for delegation". The account that are configured  to use "trusted   for delegation" the buffer requirements for each SID may double

          How to prevent Kerberos login errors due to token bloat

To allow a user to be a member of more than 900 groups you can increase the size of the MaxTokenSize by modify the following registry key on all workstations.
 To use this parameter:
  1. Start Registry Editor (Regedt32.exe).
  1. Locate and click the following key in the registry: System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
  1. If this key is not present, create the key. To do so:
    1. Click the following key in the registry: System\CurrentControlSet\Control\Lsa\Kerberos
    2. On the Edit menu, click Add Key.
    3. Create a Parameters key.
    4. Click the new Parameters key.
  1. On the Edit menu, click Add Value, and then add the following registry value: 
    Value name: 
    MaxTokenSizeData type: REG_DWORDRadix: DecimalValue data: 48000

Azure Pricing

  Azure offers pay-as-you-go and reserved instances for pricing. Azure Pricing Factors: Resource size and resource type. Different Azure loc...