Microsoft Active Directory And Group Issues



Users who are members of more than 1,015 groups may fail logon authentication#

When a user tries to log on to a computer by using a local computer account or a domain user account, the logon request may fail with the following error message:
Logon Message: The system cannot log you on due to the following error: During a logon attempt, the user’s security context accumulated too many security IDs. 
 Please try again or consult your system administrator.
This problem occurs when a user who is a member of more than 1,015 security groups tries to log on.

When a user logs on to a computer, the Local Security Authority (LSA, a part of the Local Security Authority Subsystem) generates an access token for the user to represent the security context of the user. The access token contains the user’s unique security identifier (SID) and the SIDs of every group that the user is a member of, including transitive groups.

Exceptions to This Behavior#

The only exception to this behavior is that not all domain local security groups that the user is a member of will show up in the user’s token. The only domain local security groups that will show up (in the user’s token) are those groups that the user is a member of that also reside in the domain that contains the computer account that the user is logging on to.

Because of a system limitation, the field that contains the SIDs of the user’s group memberships in the access token can contain a maximum of 1,024 SIDs. If a user is a member of more than 1,024 security groups, the LSA cannot create an access token for the user during the logon attempt. Therefore, the user will not be able to log on. During access token generation, depending on the type of logon being performed, the LSA also inserts up to 9 well-known SIDs in addition to the SIDs for the user’s group memberships (evaluated transitively).

Because of the addition of well-known SIDS by the LSA, if a user is a member of more than 1,015 (that is, 1,024 minus 9) security groups, the total will be more than the 1,024 SID limit. Therefore, the LSA will not be able to create an access token for the user during the logon attempt. (This 1,015 number includes local group memberships of the computer that the user is trying to log on to.) Because the user cannot be authenticated, they cannot log on.

Updated Guidance and Recommendations [1]#

In the past we had guidance that stated you could increase the MaxTokenSize registry entry to 65535. But because of HTTP’s base64 encoding of authentication context tokens limits starting with Windows Server 2012, the default value of the MaxTokenSize registry entry is 48000 bytes. This is why we are recommending that you set the MaxTokenSize no larger than 48000 bytes on any OS version.

How to reduce Kerberos token bloat#

To reduce the Kerberos Ticket Size you can:
  • Reduce/consolidate group membership
  • Clean up SID History
  • Limit the number of users that are configured to use "trusted for delegation". The account that are configured to use "trusted for delegation" the buffer requirements for each SID may double.

Dynamic Access Control [2]#

Microsoft's answer is a major new feature in the recently released Windows Server 2012 called Dynamic Access Control. Dynamic Access Control aims to make it easier to enhance authorization and authentication by applying better security, risk-management and auditing policies in Microsoft Active Directory. It promises to improve how files are classified, secured, accessed and governed based on various attributes and conditions applied within AD.

More Information#

There might be more information for this subject on one of the following: