⚑ Deus Ex Machina ➽ Eventlog Lookup

Deus Ex Machina » Eventlog » Event 15 - Security-Kerberos

Security-Kerberos - 15


Description »
The kerberos SSPI package generated an output token of size 13452 bytes, which was too large to fit in the token buffer of size 12000 bytes, provided by process id 2996.
 The application needs to be fixed to supply a token buffer of size at least 65535 bytes.
Data formatted as » EventData
NeededSize 13452 
ActualSize 12000 
ClientProcessID 2996 
RequiredSize 65535 

Much like Kerberos event ID 6, on earlier versions of Windows, this event shows an issue with token bloat.

Typically, this happens when the user is a member of a large number of security groups.

The Kerberos token size can be increased in order to work around token bloat. This is configured in the registry, at HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, in a DWORD value called MaxTokenSize. If this key does not exist, the default values are:

Windows 20008,000
Windows 2000 SP212,000
Windows 201248,000

Although this can be set to a value of up to 65,535 (as required by RFC 4121), setting it higher than 48,000 can cause issues with some HTTP applications (due to restrictions on header length).