Users who are members of more than 1,015 groups may fail logon authentication#When a user tries to log on to a computer by using a local computer account or a domain user account, the logon request may fail with the following error message:
Logon Message: The system cannot log you on due to the following error: During a logon attempt, the user’s security context accumulated too many security IDs. Please try again or consult your system administrator.This problem occurs when a user who is a member of more than 1,015 security groups tries to log on.
When a user logs on to a computer, the Local Security Authority (LSA, a part of the Local Security Authority Subsystem) generates an access token for the user to represent the security context of the user. The access token contains the user’s unique security identifier (SID) and the SIDs of every group that the user is a member of, including transitive groups.
Exceptions to This Behavior#The only exception to this behavior is that not all domain local security groups that the user is a member of will show up in the user’s token. The only domain local security groups that will show up (in the user’s token) are those groups that the user is a member of that also reside in the domain that contains the computer account that the user is logging on to.
Because of a system limitation, the field that contains the SIDs of the user’s group memberships in the access token can contain a maximum of 1,024 SIDs. If a user is a member of more than 1,024 security groups, the LSA cannot create an access token for the user during the logon attempt. Therefore, the user will not be able to log on. During access token generation, depending on the type of logon being performed, the LSA also inserts up to 9 well-known SIDs in addition to the SIDs for the user’s group memberships (evaluated transitively).
Because of the addition of well-known SIDS by the LSA, if a user is a member of more than 1,015 (that is, 1,024 minus 9) security groups, the total will be more than the 1,024 SID limit. Therefore, the LSA will not be able to create an access token for the user during the logon attempt. (This 1,015 number includes local group memberships of the computer that the user is trying to log on to.) Because the user cannot be authenticated, they cannot log on.
How to reduce Kerberos token bloat#To reduce the Kerberos Ticket Size you can:
- Reduce/consolidate group membership
- Clean up SID History
- Limit the number of users that are configured to use "trusted for delegation". The account that are configured to use "trusted for delegation" the buffer requirements for each SID may double.
More Information#There might be more information for this subject on one of the following:
- [#1] - MaxTokenSize and Kerberos Token Bloat - based on information retreived 2013-07-11
- [#2] - Dynamic Access Control: An Active Directory Game Changer - based on information retreived 2013-07-11