Calculate Kerberos token size

Calculate Kerberos token size

The authentication protocol within a Microsoft infrastructure since the Windows 2000 time frame has been Kerberos. The Kerberos token leverages a predefined buffer to house authorization requests. This predefined Kerberos buffer size is set by the MaxTokenSize setting found in the registry here:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

The MaxTokenSize by default is 12000 bytes. This has been the default value since Windows 2000 SP2 and still remains in Windows 7 and Windows 2008 R2. As company’s grow so do the groups within your organization. If your Kerberos token becomes too big your users will receive error messages during login and applications that use Kerberos authentication will potentially fail as well.

In the past we had guidance that stated you could increase the MaxTokenSize registry entry to 65535. But because of HTTP’s base64 encoding of authentication context tokens limits starting with Windows Server 2012, the default value of the MaxTokenSize registry entry is 48000 bytes. This is why the recommendation is to set the MaxTokenSize no larger than 48000 bytes on any OS version.

A very nice script has been written to help you with the kerberos token size calculation. It is based on the following article KB327825 that gives us the official formula :
TokenSize = 1200 + 40d + 8s

This formula uses the following values:

  • d: The number of domain local groups a user is a member of plus the number of universal groups outside the user’s account domain that the user is a member of plus the number of groups represented in security ID (SID) history.
  • s: The number of security global groups that a user is a member of plus the number of universal groups in a user’s account domain that the user is a member of.
  • 1200: The estimated value for ticket overhead. This value can vary, depending on factors such as DNS domain name length, client name, and other factors.

In scenarios in which delegation is used (for example, when users authenticate to a domain controller), we recommend that you double the token size.

It has been interpreted using Powershell with this formula :
$TokenSize = 1200 + (40 * ($SecurityDomainLocalScope + $SecurityUniversalExternalScope + $GroupSidHistoryCounter)) + (8 * ($SecurityGlobalScope  + $SecurityUniversalInternalScope))

    with :

  • $SecurityDomainLocalScope : number of Domain Local groups
  • $SecurityUniversalExternalScope : number of Universal External groups
  • $GroupSidHistoryCounter : number of groups in the SID History
  • $SecurityGlobalScope : number of groups in the Domain Global scope
  • $SecurityUniversalInternalScope : number of groups in the Universal scope

And the formula if the delegation is used :
$DelegatedTokenSize = 2 * (1200 + (40 * ($SecurityDomainLocalScope + $SecurityUniversalExternalScope + $GroupSidHistoryCounter)) + (8 * ($SecurityGlobalScope  + $SecurityUniversalInternalScope)))

Output
kerb


References

Microsoft Script Center

<>

Leave a Reply

Your email address will not be published. Required fields are marked *