If a user is a member of many groups either directly or
because of group nesting, Kerberos authentication may not work. The Group
Policy object (GPO) may not be applied to the user and the user may not be
validated to use network resources.
The Kerberos token has a fixed size. If a user is a member
of a group either directly or by membership in another group, the security ID
(SID) for that group is added to the user's token. For a SID to be added to the
user's token, it must be communicated by using the Kerberos token. If the
required SID information exceeds the size of the token, authentication does not
succeed. The number of groups varies, but the limit is approximately 70 to 80
For many operations, Windows NTLM authentication succeeds;
the Kerberos authentication problem may not be evident without analysis.
However, operations that include GPO application do not work at all.
Service pack information
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
How to Obtain the Latest Windows
2000 Service Pack
A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.
If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix. Note
If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note
The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
The English version of this hotfix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone
tab in the Date and Time tool in Control Panel.
Date Time Version Size File name
01/25/2001 02:24p 5.0.2195.2842 130,320 Adsldpc.dll
01/25/2001 02:24p 5.0.2195.2835 348,944 Advapi32.dll
01/25/2001 02:23p 5.0.2195.2816 502,032 Instls5.dll
01/25/2001 02:24p 5.0.2195.2842 140,560 Kdcsvc.dll
01/17/2001 01:17p 5.0.2195.2842 198,928 KERBEROS.dll
12/19/2000 09:13p 5.0.2195.2808 69,456 Ksecdd.sys
01/25/2001 02:24p 5.0.2195.2816 484,112 Lsasrv.dll
01/02/2001 08:45a 5.0.2195.2816 33,552 Lsass.exe
01/23/2001 05:06p 5.0.2195.2850 108,816 Msv1_0.dll
01/25/2001 02:24p 5.0.2195.2844 912,656 Ntdsa.dll
01/25/2001 02:24p 5.0.2195.2780 363,280 Samsrv.dll
01/25/2001 02:24p 5.0.2195.2797 128,272 Wldap32.dll
Note that you must use a registry parameter that is
available with this hotfix to increase the Kerberos token size. See the "More
Information" section of this article for additional information.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section. This problem was first corrected in Windows 2000 Service Pack 2.
This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
How to back up and restore the registry in Windows
A registry parameter is available after you apply
this hotfix that you can use to increase the Kerberos token size. For example,
increasing the token size to 65 KB allows a user to be present in more than
900 groups. Because of the associated SID information, this number may vary.
To use this parameter:
- Start Registry Editor (Regedt32.exe).
- Locate and click the following key in the registry:
- If this key is not present, create the key. To do so:
- Click the following key in the registry:
- On the Edit menu, click Add Key.
- Create a Parameters key.
- Click the new Parameters key.
- On the Edit menu, click Add Value, and then add the following registry value:
Value name: MaxTokenSize
Data type: REG_DWORD
Value data: 65535
- Quit Registry Editor.
The default value for MaxTokenSize
is 12000 decimal. We recommend that you set this value to
65535 decimal, FFFF hexadecimal. If you set this value incorrectly to 65535
hexadecimal (an extremely large value) Kerberos authentication operations may
fail, and programs may return errors.
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
SMS administrator issues after you modify the Kerberos MaxTokenSize registry value
After you set the value and the computer is
updated, restart the computer. You can use Group Policy settings to set this
value for all computers. If you add the registry key to computers before you
apply the hotfix or Windows 2000 SP2, no changes take
For additional information about this registry value, click the following article number to view the article in the Microsoft Knowledge Base:
Error Message: "Timeout expired" occurs when you connect to SQL Server over TCP/IP and the Kerberos MaxTokenSize is greater than 0xFFFF
DCOM client may put memory on the wire
Frequently Asked Questions
- Question: Do I apply this hotfix from the hotfix package or from Windows
2000 Service Pack 2?
Answer: You can apply either the Q263693 hotfix or apply Windows 2000
- Question: Do I have to modify the registry as mentioned in this article
after I apply this hotfix?
Answer: By default, Microsoft supports the user belonging to 70-80
groups. If you want to support more groups, then you have to adjust the value
in the registry accordingly. Follow the guideline example provided in this
- Question: Where do I have to apply this hotfix and make the registry
Answer: You must implement the registry setting on every computer in the
enterprise that is running Windows 2000 and/or Microsoft Windows XP. This
includes domain controllers, member servers, and client computers. The hotfix
is also required for computers that are running Windows 2000 Service Pack 1 or
- Question: I log on to the domain through Terminal Server Session (TS is
running on Member Servers), so where do I have to install the fix?
Answer: Install the Q263693 Kerberos fixes on the domain controllers
- Question: How does this hotfix affect the system performance on
Answer: The token size will be a statically defined data structure. 65K
is a relatively low penalty to pay for most systems. However, if the user is a
member of ~1000 groups, the authentication time will be greater than if the
number of groups is smaller. In other words, if the token size is increased,
there should be no observable performance penalty other than memory resource
consumption. This applies to operations including GPO initialization. This is
because the actual Kerberos information sent on the wire is not of a fixed
size. Its size depends upon the group/SID information required.
- Question: How does this affect the memory resource on domain controllers
Answer: The domain controller generates the User Access Ticket, but the
allocation is on the workstation. So you will see the insignificant memory
usage on the workstations depending on the Token size you set in the
For additional informations, click the following article number to view the article in the Microsoft Knowledge Base:
Internet Explorer logon fails due to an insufficient buffer for Kerberos
SMS administrator issues after you modify the Kerberos MaxTokenSize registry value
For additional information about how to install Windows 2000 and Windows 2000 hotfixes at the
same time, click the following article number to view the article in the Microsoft Knowledge Base:
Installing Microsoft Windows 2000 and Windows 2000