|
server
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Error message: During a logon attempt, the user's security contextgetting this message:Error message: During a logon attempt, the user's security context accumulated too many security IDs. Have read some articles about the problem we've got to understanding that it is due to more than 1024 nested groups included in one account. We checked our problem users with ndsutil.exe - they have about 1150 nested groups (we really need it). We see two problems here: 1.) LDAP MaxPageSize policy on DC controllers is by default set to 1000 which means that any LDAP Query can't get back more than 1000 AD objects. It's easy to avoid the limit by changing this policy so we have temporarily changed it to 10000 to be sure that there is no problem with this issue. 2.) MaxTokenSize for Kerberos is set by default to 12000 bytes (http://support.microsoft.com/?kbid=327825). We tried to set it to 65535 (both on two our DC servers and user's computer) and it seems to be set but users still can't log on. We tested our users with tokensz.exe utillity it shows that 65535 should be quite enough for them to log on (for one of them it even shows: MaxTokenSize (incomplete context) : 11393). What can we do wrong with setting MaxTokenSize or maybe you now other possible reasons for this error? Thank you for your help in advance!
Show quote
Hide quote
"Carpenter" <Carpen***@discussions.microsoft.com> wrote in message I don't know about increasing the token size, but the way to retrieve more news:22542F2D-79F0-427B-AF22-727E52D6EF08@microsoft.com... > The problem is that some of our users experienced a problem during log on > getting this message:Error message: During a logon attempt, the user's > security context accumulated too many security IDs. > > Have read some articles about the problem we've got to understanding that > it > is due to more than 1024 nested groups included in one account. We checked > our problem users with ndsutil.exe - they have about 1150 nested groups > (we > really need it). > > We see two problems here: > 1.) LDAP MaxPageSize policy on DC controllers is by default set to 1000 > which means that any LDAP Query can't get back more than 1000 AD objects. > It's easy to avoid the limit by changing this policy so we have > temporarily > changed it to 10000 to be sure that there is no problem with this issue. > 2.) MaxTokenSize for Kerberos is set by default to 12000 bytes > (http://support.microsoft.com/?kbid=327825). We tried to set it to 65535 > (both on two our DC servers and user's computer) and it seems to be set > but > users still can't log on. We tested our users with tokensz.exe utillity it > shows that 65535 should be quite enough for them to log on (for one of > them > it even shows: MaxTokenSize (incomplete context) : 11393). > > What can we do wrong with setting MaxTokenSize or maybe you now other > possible reasons for this error? > > Thank you for your help in advance! than 1000 records from AD is to turn on paging. You can do this by assigning a page size, like 100. The value is not that important (although the max is 1000). It just specifies the size of the data that is retrieved in each chuck. More likely, your problem is that you cannot retrieve more than 1000 values of a multi-valued attribute, like the member attribute of a group or the memberOf attribute of a user. The limit is 1500 if the domain is at Windows 2003 functional level. The solution here is to use range limits. If you query AD for all members of a large group, you may get more than 1000 records (rows), so paging is the solution. If you query AD for all groups a users is a member of, you should get one record with an array of values. You can reach the limit for multi-valued attributes, and range limits is the solution I use. Richard,
Doesn't increasing the MaxPageSize impact the response time? For some reason I thought this was an issue, but can't recall why. I know Microsoft urges you to not change this value for some reason that slips my mind. -- Show quoteHide quotePaul Bergson MVP - Directory Services MCTS, MCT, MCSE, MCSA, Security+, BS CSci 2008, 2003, 2000 (Early Achiever), NT4 http://www.pbbergs.com Please no e-mails, any questions should be posted in the NewsGroup This posting is provided "AS IS" with no warranties, and confers no rights. "Richard Mueller [MVP]" <rlmueller-nospam@ameritech.nospam.net> wrote in message news:ejPv0nDqJHA.3364@TK2MSFTNGP06.phx.gbl... > > "Carpenter" <Carpen***@discussions.microsoft.com> wrote in message > news:22542F2D-79F0-427B-AF22-727E52D6EF08@microsoft.com... >> The problem is that some of our users experienced a problem during log on >> getting this message:Error message: During a logon attempt, the user's >> security context accumulated too many security IDs. >> >> Have read some articles about the problem we've got to understanding that >> it >> is due to more than 1024 nested groups included in one account. We >> checked >> our problem users with ndsutil.exe - they have about 1150 nested groups >> (we >> really need it). >> >> We see two problems here: >> 1.) LDAP MaxPageSize policy on DC controllers is by default set to 1000 >> which means that any LDAP Query can't get back more than 1000 AD objects. >> It's easy to avoid the limit by changing this policy so we have >> temporarily >> changed it to 10000 to be sure that there is no problem with this issue. >> 2.) MaxTokenSize for Kerberos is set by default to 12000 bytes >> (http://support.microsoft.com/?kbid=327825). We tried to set it to 65535 >> (both on two our DC servers and user's computer) and it seems to be set >> but >> users still can't log on. We tested our users with tokensz.exe utillity >> it >> shows that 65535 should be quite enough for them to log on (for one of >> them >> it even shows: MaxTokenSize (incomplete context) : 11393). >> >> What can we do wrong with setting MaxTokenSize or maybe you now other >> possible reasons for this error? >> >> Thank you for your help in advance! > > I don't know about increasing the token size, but the way to retrieve more > than 1000 records from AD is to turn on paging. You can do this by > assigning a page size, like 100. The value is not that important (although > the max is 1000). It just specifies the size of the data that is retrieved > in each chuck. > > More likely, your problem is that you cannot retrieve more than 1000 > values of a multi-valued attribute, like the member attribute of a group > or the memberOf attribute of a user. The limit is 1500 if the domain is at > Windows 2003 functional level. The solution here is to use range limits. > > If you query AD for all members of a large group, you may get more than > 1000 records (rows), so paging is the solution. If you query AD for all > groups a users is a member of, you should get one record with an array of > values. You can reach the limit for multi-valued attributes, and range > limits is the solution I use. > > -- > Richard Mueller > MVP Directory Services > Hilltop Lab - http://www.rlmueller.net > -- > > I believe it affects performance. Either the server sends many smaller pages
of records or fewer but larger pages of records. I've never been able to test for the optimum value. The important thing is to enable paging by setting a Page Size so the server won't stop at 1000 records. My guess is the the OP's problem has nothing to to with MaxPageSize. Show quoteHide quote "Paul Bergson [MVP-DS]" <pbbergs@nopspam_msn.com> wrote in message news:OiO5H$IqJHA.5832@TK2MSFTNGP02.phx.gbl... > Richard, > Doesn't increasing the MaxPageSize impact the response time? For some > reason I thought this was an issue, but can't recall why. I know > Microsoft urges you to not change this value for some reason that slips my > mind. > > -- > Paul Bergson > MVP - Directory Services > MCTS, MCT, MCSE, MCSA, Security+, BS CSci > 2008, 2003, 2000 (Early Achiever), NT4 > > http://www.pbbergs.com > > Please no e-mails, any questions should be posted in the NewsGroup This > posting is provided "AS IS" with no warranties, and confers no rights. > > > "Richard Mueller [MVP]" <rlmueller-nospam@ameritech.nospam.net> wrote in > message news:ejPv0nDqJHA.3364@TK2MSFTNGP06.phx.gbl... >> >> "Carpenter" <Carpen***@discussions.microsoft.com> wrote in message >> news:22542F2D-79F0-427B-AF22-727E52D6EF08@microsoft.com... >>> The problem is that some of our users experienced a problem during log >>> on >>> getting this message:Error message: During a logon attempt, the user's >>> security context accumulated too many security IDs. >>> >>> Have read some articles about the problem we've got to understanding >>> that it >>> is due to more than 1024 nested groups included in one account. We >>> checked >>> our problem users with ndsutil.exe - they have about 1150 nested groups >>> (we >>> really need it). >>> >>> We see two problems here: >>> 1.) LDAP MaxPageSize policy on DC controllers is by default set to 1000 >>> which means that any LDAP Query can't get back more than 1000 AD >>> objects. >>> It's easy to avoid the limit by changing this policy so we have >>> temporarily >>> changed it to 10000 to be sure that there is no problem with this issue. >>> 2.) MaxTokenSize for Kerberos is set by default to 12000 bytes >>> (http://support.microsoft.com/?kbid=327825). We tried to set it to 65535 >>> (both on two our DC servers and user's computer) and it seems to be set >>> but >>> users still can't log on. We tested our users with tokensz.exe utillity >>> it >>> shows that 65535 should be quite enough for them to log on (for one of >>> them >>> it even shows: MaxTokenSize (incomplete context) : 11393). >>> >>> What can we do wrong with setting MaxTokenSize or maybe you now other >>> possible reasons for this error? >>> >>> Thank you for your help in advance! >> >> I don't know about increasing the token size, but the way to retrieve >> more than 1000 records from AD is to turn on paging. You can do this by >> assigning a page size, like 100. The value is not that important >> (although the max is 1000). It just specifies the size of the data that >> is retrieved in each chuck. >> >> More likely, your problem is that you cannot retrieve more than 1000 >> values of a multi-valued attribute, like the member attribute of a group >> or the memberOf attribute of a user. The limit is 1500 if the domain is >> at Windows 2003 functional level. The solution here is to use range >> limits. >> >> If you query AD for all members of a large group, you may get more than >> 1000 records (rows), so paging is the solution. If you query AD for all >> groups a users is a member of, you should get one record with an array of >> values. You can reach the limit for multi-valued attributes, and range >> limits is the solution I use. >> >> -- >> Richard Mueller >> MVP Directory Services >> Hilltop Lab - http://www.rlmueller.net >> -- >> >> > According to the following article http://support.microsoft.com/?kbid=327825
we decided, that MaxTokenSize is our problem. We discussed your answer and checked MaxPageSize. We made script, that retrieve all groups from AD. The first time we get only 1000 groups and script stoped. Then we increased MaxPageSize in LDAP Policy on Domain Controller using ntdsutil.exe up to 10000. After it we retrieved 7000 groups and it was a full list of groups in our domain. Have we got you right? Have you got any idea on our issue? "Carpenter" <Carpen***@discussions.microsoft.com> wrote in message What I discussed does not address your problem at all. Page Size only news:536DEF08-91EE-4D63-937D-296BA868001F@microsoft.com... > According to the following article > http://support.microsoft.com/?kbid=327825 > we decided, that MaxTokenSize is our problem. We discussed your answer and > checked MaxPageSize. We made script, that retrieve all groups from AD. The > first time we get only 1000 groups and script stoped. Then we increased > MaxPageSize in LDAP Policy on Domain Controller using ntdsutil.exe up to > 10000. After it we retrieved 7000 groups and it was a full list of groups > in > our domain. > Have we got you right? Have you got any idea on our issue? > affects how many records you can retrieve at one time, not how many values each record can hold. I usually don't like to modify domain policies like this, but your solution is the only one I am aware of for your problem (short of reducing the number of groups). 
Other interesting topics
What am I doing wrong? (Want to use Server 2003 R2 for Domain Cont
offline KB 810859 Home directory Win2k3R2 Domain Preparing for Win2k8 Member & Domain Controllers User dis-join from domain, how to re-join again Roamin Profiles servers loooking for group policy on dead server Unexplained time changes duplicate SPN's Quick question about two-way trust. |
|||||||||||||||||||||||
