Systems Engineering and RDBMS

MaxTokenSize and Windows Authentication

Posted by decipherinfosys on August 27, 2008

As you know already, there are two modes of connecting to SQL Server – Windows Authentication and SQL Server Authentication. When using Windows Authentication, if you have a large company with a lot of users and groups in the AD (Active Directory), at times you can see connectivity errors related to kerberos which look like this in the event log:

The kerberos SSPI package generated an output token of size 23C9 bytes, which was too large to fit in the 2349 buffer provided by the process id 0. If the condition persists, please contact your system administrator.

Similar error is logged into the SQL Server Error Log as well:

The login packet used to open the connection is structurally invalid; the connection has been closed. Please contact the vendor of the client library.

These kind of errors typically occur when users have memberships in many AD groups (this includes explicit as well as inherited memberships). There is a registry setting called MaxTokenSize which has a default value of 12000 decimal. In larger organizations, this default value is not adequate and the user tokens can be larger than this value. Since kerberos does not accept broken tokens, the authentication will fail because the value for that registry entry is not high enough.

So, how can you see what value you have in your environment for a given user? MSFT has a utility called TokenSZ which can be used to ascertain that. When you run it, you can see the default size for the MaxToken parameter. If you want to change the value on the server, you will need to modify (or add if it does not exist already) this registry entry:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Under it, you will either see the entry MaxTokenSize or if you do not see it in there, you can add one by right clicking in the right pane and selecting New/DWORD Value. Do that as shown in the image below and put in a higher value:

You will need to reboot in order for the entry change to take effect. Any server or a workstation that interacts with SQL Server will need this change. Some more good reading materials on this topic can be seen here and here.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: