RE: Kerberos ticket size problem affects MS layered products
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 4 Feb 2003 18:43:48 -0600
Hi Shawn,
Nice tip. I've somehow been able to steer clear of AD stuff since Win2k
came out. Oh yea, my wife is the AD pro, so I've been able to just ask
her if I have a problem :-)
Tom
Thomas W Shinder
www.isaserver.org/shinder
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
-----Original Message-----
From: Quillman Shawn (RBNA/CIT1.1) [mailto:Shawn.Quillman@xxxxxxxxxxxx]
Sent: Tuesday, February 04, 2003 10:52 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Kerberos ticket size problem affects MS layered
products
http://www.ISAserver.org
Here's a heads up for you all if you haven't seen it yet. Our main AD
admins tell me that we are having a pretty crappy forest-wide problem
here
with Active Directory that affects authentication, including
authentication
to MS layered products (IIS, Exchange, ISA, etc). Apparently there is a
problem with the Kerberos ticket size in AD. Our main admins increased
the
ticket size to accomodate the number of groups that accounts could
belong to
and that really whacked things out, including authenticating to said
layered
products. Some people were not even able to login to Windows. We are
finding that people in 16+ groups are being affected by this (I'm not
positive if nested groups count toward that 16). Apparently MS has a
hotfix
that will change how group membership is determined, but they're not
sure
yet how to deploy it throughout our forest. We are quite large, so
maybe
for smaller companies it can be applied more easily.
Potential workarounds:
1) Alter the ticket size on the client: add a REG_DWORD
HKLM\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters\MaxTokenSi
ze
with a value of decimal 100000. Increase this value by a factor of 10
if
this fails.
2) Turn off Kerberos authentication on the layered product
3) Reduce the number of groups assigned to the user. Unfortunately this
is
the only option that has worked 100% of the time for us...
So if you get any funky authentication problems in ISA (or anything else
for
that matter) and all of your configurations are definitely correct.....
-Shawn
-----
Shawn R. Quillman
Robert Bosch Corporation RBNA/CIT1.1
38000 Hills Tech Drive
Farmington Hills, MI 48331
(248) 553-1164 (P) (248) 848-2855 (F)
shawn.quillman@xxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
