http://www.jhouseconsulting.com/2013/12/20/script-to-create-a-kerberos-token-size-report-1041
This PowerShell script will enumerate all user accounts in a Domain,
calculate their estimated Token Size and create a report of the top x users in CSV format.
The Kerberos token size grows depending on the following facts:
- Amount of direct and indirect (nested) group memberships.
- Distribution groups are not included in the token, but all security groups are included.
-
- All group scopes are included in the token evaluation.
- Whether or not the user has a SID history, and if so, the number of entries.
- Authentication method (username/password or multi-factor like Smart Cards).
- The user is enabled for Kerberos delegation.
- Local user rights assigned to the user.
If it grows beyond the default maximum allowed size…
- Access and single sign-on (SSO) to Kerberos enabled services will fail, as well as causing unknown side-effects to other services.
- You have the option of reducing the Kerberos Token Size, or modifying the MaxTokenSize setting on the computers. Now days increasing the MaxTokenSize setting is a given, however reducing the Kerberos Token Size is a necessary management task and often focussed around the security group design and implementation, and perhaps the clean-up of SID history.
As per KB327825, use the following formula to determine whether it is necessary to modify the MaxTokenSize value or not:
TokenSize = 1200 + 40d + 8s
This formula uses the following values:
- d: The number of domain local groups a user is a member of plus the number of universal groups outside the user’s account domain that the user is a member of plus the number of groups represented in security ID (SID) history.
- Although it’s not documented in KB327825 or any other Microsoft references, I also add the number of global groups outside the user’s account domain that the user is a member of to the “d” calculation of the TokenSize. Whilst the Microsoft methodology is to add universal groups from other domains, it is possible to add global groups too. Therefore it’s important to capture this and correctly include it in the calculation.
- s: The number of security global groups that a user is a member of plus the number of universal groups in a user’s account domain that the user is a member of.
- 1200: The estimated value for ticket overhead. This value can vary, depending on factors such as DNS domain name length, client name, and other factors.
- User rights include rights such as “Log on locally” or “Access this Computer from the network”. The only user rights that are added to an access token are those user rights that are configured on the server that hosts a secured resource. Most of the users are likely to have only two or three user rights on the Exchange server. Administrators may have dozens of user rights. Each user right requires 12 bytes to store it in the token.
-
- Token overhead includes multiple fields such as the token source, expiration time, and impersonation information. For example, a typical domain user has no special access or restrictions; token overhead is likely to be between 400 and 500 bytes.
-
- Estimated value for ticket overhead can vary depending on factors such as DNS domain name length, client name and other factors.
- Each group membership adds the group SID to the token together with an additional 16 bytes for associated attributes and information. The maximum possible size for SID is 68 bytes. Therefore, each security group to which a user belongs typically adds 44 bytes to the user’s token size.
- Domain Local group SIDs are 40 bytes each.
-
- Domain Global and Universal groups are 8 bytes each.
Vous pouvez voir ici qu’il y a une taxe plus élevée à payer pour l’utilisation des groupes locaux de domaine. D’où la raison pour laquelle vous trouverez souvent une plus grande utilisation de groupes globaux et / ou universels dans des environnements plus vastes. La conception et la méthodologie du groupe AGDLP sont bonnes en principe, mais doivent être mises en œuvre avec sensibilité.
Vous pouvez également voir la formule représentée comme suit:
TokenSize = [12 x nombre de droits d’utilisateur] + [overhead token] + 40d + 8s
… où [12 x nombre de droits d’utilisateur] + [frais généraux token] est généralement estimé à 1200 octets.
Cela peut être augmenté en définissant le paramètre de registre Kerberos MaxTokenSize (le paramètre de registre de token de token de SSPI maximum Kerberos) à une valeur maximale prise en charge jusqu’à 65335 octets. Microsoft ne recommande pas de l’augmenter au-delà de 48000 octets. Cependant, l’augmentation flagrante de MaxTokenSize peut avoir d’autres répercussions sur les applications, telles que Microsoft Internet Information Services (IIS). La meilleure pratique est de réviser les méthodes pour réduire la taille du jeton, par exemple en réduisant et en consolidant l’appartenance à un groupe, en veillant à ce qu’il n’y ait pas de mise en boucle (nidification circulaire) en groupes et de nettoyage de l’historique de SID avant d’augmenter la taille de MaxTokenSize.
Si MaxTokenSize doit être augmenté, il est encore extrêmement important de gérer le nombre de groupes auxquels chaque utilisateur est membre. Bien que 1 024 soit le nombre maximal de groupes de sécurité auxquels un utilisateur peut être membre, il est préférable de limiter le nombre à 1 015. Ce nombre garantit que la génération de jeton réussira toujours car elle offre un espace pouvant atteindre 9 SID de groupes bien connus qui sont insérés par l’Autorité de sécurité locale (LSA) lorsqu’un utilisateur se connecte sur un ordinateur.
The MaxTokenSize registry value can be deployed via a Group Policy Object (GPO) as per KB938118.
- There is a little known UI application called TokenMaster.exe, which was released back in 2000 ( TokenMaster.zip)
- Microsoft KB327825: Problems with Kerberos authentication when a user belongs to many groups
- Microsoft KB243330: Well-known security identifiers in Windows operating systems
- Microsoft KB328889: Users who are members of more than 1,015 groups may fail logon authentication
- Microsoft KB938118: How to use Group Policy to add the MaxTokenSize registry entry to multiple computers
- Microsoft Blog: Managing Token Bloat
- Industry Blog: MaxTokenSize – Change of recommendation from Microsoft
- Global Information Assurance Certification (GIAC) Paper: Kerberos and Access Token Limitations
- SekChek International white paper: Microsoft Windows: About Security Identifiers (SIDs)
- Industry Blog: Understanding SIDs
- Industry Blog: Security Identifiers