DetailPage-MSS-KB

Microsoft small business knowledge base

Article ID: 935744 - Last Review: February 4, 2008 - Revision: 2.1

SYMPTOMS

When you use a Microsoft Windows Server 2003-based domain controller to join a Microsoft Windows XP-based client computer to a domain, you may receive an error message that resembles the following on the client computer:
The following error occurred attempting to join the domain "domain_name.com": Not enough storage is available to complete this operation.
Additionally, the following Warning message may be logged in the System log on the client computer:

Event Type: Warning
Event Source: Kerberos
Event Category: None
Event ID: 6
Date: Date
Time: Time
User: N/A
Computer: Computer_Name
Description:
The kerberos SSPI package generated an output token of size 36E7 bytes, which was too large to fit in the 36D3 buffer provided by process id 0. If the condition persists, please contact your system administrator.

CAUSE

This problem occurs because the Kerberos token that is generated during authentication is more than the fixed maximum size. In the original release version of Microsoft Windows 2000, the default value of the MaxTokenSize registry entry was 8,000 bytes. In Windows 2000 with Service Pack 2 (SP2) and in later versions of Windows, the default value of the MaxTokenSize registry entry is 12,000 bytes.

For example, if a user is a member of a group either directly or by membership in another group, the security ID (SID) for that group is added to the user's token. For a SID to be added to the user's token, the SID information must be communicated by using the Kerberos token. If the required SID information exceeds the size of the token, authentication is unsuccessful.

RESOLUTION

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756  (http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in Windows


To resolve this problem, increase the Kerberos token size. To do this, follow these steps on the client computer that logs the Kerberos event.
  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
    Note If the Parameters key is not present, create the key. To do this, follow these steps:
    1. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos
    2. On the Edit menu, point to New, and then click Key.
    3. Type Parameters, and then press ENTER.
  3. On the Edit menu, point to New, and then click DWORD Value.
  4. Type MaxTokenSize, and then press ENTER.
  5. On the Edit menu, click Modify.
  6. In the Base area, click Decimal, type 65535 in the Value data box, and then click OK.

    Note The default value for the MaxTokenSize registry entry is a decimal value of 12,000. We recommend that you set this registry entry value to a decimal value of 65,535. If you incorrectly set this registry entry value to a hexadecimal value of 65,535, Kerberos authentication operations may fail. Additionally, programs may return errors. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
    297869  (http://support.microsoft.com/kb/297869/ ) SMS administrator issues after you modify the Kerberos MaxTokenSize registry value
  7. Exit Registry Editor.
  8. Restart the computer.

MORE INFORMATION

For more information about how to use the Tokensz tool to compute the maximum token size, visit the following Microsoft Web site:
http://www.microsoft.com/downloads/details.aspx?familyid=4A303FA5-CF20-43FB-9483-0F0B0DAE265C&displaylang=en (http://www.microsoft.com/downloads/details.aspx?familyid=4A303FA5-CF20-43FB-9483-0F0B0DAE265C&displaylang=en)
For more information about how to address problems that occur because of access token limitations, visit the following Microsoft Web site:
http://www.microsoft.com/downloads/details.aspx?FamilyID=22dd9251-0781-42e6-9346-89d577a3e74a&DisplayLang=en (http://www.microsoft.com/downloads/details.aspx?FamilyID=22dd9251-0781-42e6-9346-89d577a3e74a&DisplayLang=en)
For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
327825  (http://support.microsoft.com/kb/327825/ ) New resolution for problems with Kerberos authentication when users belong to many groups
263693  (http://support.microsoft.com/kb/263693/ ) Group Policy may not be applied to users belonging to many groups

APPLIES TO
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Web Edition
  • Microsoft Windows XP Professional
Keywords: 
kbexpertiseadvanced kbtshoot KB935744
Share
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support