Cannot access web page by name due to too many group memberships

August 17, 2007

Hello,

I'm not sure where to post this message, because it has to do with more then

one specific area.

We have users who belong to more than 300 groups. These users are having

trouble to access certain corporate intranet websites by dns name.

When we try the same pages through ip-address it works.

When we remove some groupmemberships from the user, it also works.

We've seen this with more users here (even with myself).

This only happens when the webpage checks my account, for example sites that

need to check my identity, to show my personal page..

This happens on IIS systems and Apache windows servers.

We first thought of the MaxTokenSize registry value, but that seems not to

be the problem.

Does anyone have seen similar issues, or has a solution for me?

Thank you very much in advance.

Arjan.

August 17, 2007

Re: Cannot access web page by name due to too many group memberships

hello,

is it 300 direct, security group membership ?

Or is that the full total of direct AND nested group membership ?

How many group do you must take off to get it working ? 10 ?

Any error on the IIS (eventlog, 500...) ?

Do you have a multi-forest with universal groups ?

Can your application be in "debug" mode to dump the groups it finds for your

account (to check if some are missing) ?

Maybe a special caracter in one group name ?

Did you anyway try to raise the MaxTokenSize ?

--

Cordialement,

Mathieu CHATEAU

http://lordoftheping.blogspot.com

"Arjan Schel" <Arjan Schel@discussions.microsoft.com> wrote in message

news:3E26B26E-F1D7-48A3-BE7F-57432BD81EE8@microsoft.com...

> Hello,

>

> I'm not sure where to post this message, because it has to do with more

> then

> one specific area.

> We have users who belong to more than 300 groups. These users are having

> trouble to access certain corporate intranet websites by dns name.

> When we try the same pages through ip-address it works.

> When we remove some groupmemberships from the user, it also works.

> We've seen this with more users here (even with myself).

> This only happens when the webpage checks my account, for example sites

> that

> need to check my identity, to show my personal page..

> This happens on IIS systems and Apache windows servers.

>

> We first thought of the MaxTokenSize registry value, but that seems not to

> be the problem.

> Does anyone have seen similar issues, or has a solution for me?

>

> Thank you very much in advance.

> Arjan.

>

August 17, 2007

Re: Cannot access web page by name due to too many group memberships

you can use this tool to check the token size:

Tokensz

http://www.microsoft.com/downloads/details.aspx?FamilyID=4a303fa5-cf20-43fb-9483-0f0b0dae265c&DisplayLang=en

--

Cordialement,

Mathieu CHATEAU

http://lordoftheping.blogspot.com

"Arjan Schel" <Arjan Schel@discussions.microsoft.com> wrote in message

news:3E26B26E-F1D7-48A3-BE7F-57432BD81EE8@microsoft.com...

> Hello,

>

> I'm not sure where to post this message, because it has to do with more

> then

> one specific area.

> We have users who belong to more than 300 groups. These users are having

> trouble to access certain corporate intranet websites by dns name.

> When we try the same pages through ip-address it works.

> When we remove some groupmemberships from the user, it also works.

> We've seen this with more users here (even with myself).

> This only happens when the webpage checks my account, for example sites

> that

> need to check my identity, to show my personal page..

> This happens on IIS systems and Apache windows servers.

>

> We first thought of the MaxTokenSize registry value, but that seems not to

> be the problem.

> Does anyone have seen similar issues, or has a solution for me?

>

> Thank you very much in advance.

> Arjan.

>

August 17, 2007

Re: Cannot access web page by name due to too many group memberships

to calculate yourself:

New resolution for problems with Kerberos authentication when users belong

to many groups

http://support.microsoft.com/kb/327825

TokenSize = 1200 + 40d + 8s

This formula uses the following values:

• d: The number of domain local groups a user is a member of plus the number

of universal groups outside the user's account domain plus the number of

groups represented in security ID (SID) history.

• s: The number of security global groups that a user is a member of plus

the number of universal groups in a user's account domain.

• 1200: The estimated value for ticket overhead. This value can vary

depending on factors such as DNS domain name length, client name, and other

factors.

--

Cordialement,

Mathieu CHATEAU

http://lordoftheping.blogspot.com

"Arjan Schel" <Arjan Schel@discussions.microsoft.com> wrote in message

news:3E26B26E-F1D7-48A3-BE7F-57432BD81EE8@microsoft.com...

> Hello,

>

> I'm not sure where to post this message, because it has to do with more

> then

> one specific area.

> We have users who belong to more than 300 groups. These users are having

> trouble to access certain corporate intranet websites by dns name.

> When we try the same pages through ip-address it works.

> When we remove some groupmemberships from the user, it also works.

> We've seen this with more users here (even with myself).

> This only happens when the webpage checks my account, for example sites

> that

> need to check my identity, to show my personal page..

> This happens on IIS systems and Apache windows servers.

>

> We first thought of the MaxTokenSize registry value, but that seems not to

> be the problem.

> Does anyone have seen similar issues, or has a solution for me?

>

> Thank you very much in advance.

> Arjan.

>

August 17, 2007

Re: Cannot access web page by name due to too many group memberships

(Sorry for sending one by one..)

Do you have the /3G on the IIS Server ?

--

Cordialement,

Mathieu CHATEAU

http://lordoftheping.blogspot.com

"Arjan Schel" <Arjan Schel@discussions.microsoft.com> wrote in message

news:3E26B26E-F1D7-48A3-BE7F-57432BD81EE8@microsoft.com...

> Hello,

>

> I'm not sure where to post this message, because it has to do with more

> then

> one specific area.

> We have users who belong to more than 300 groups. These users are having

> trouble to access certain corporate intranet websites by dns name.

> When we try the same pages through ip-address it works.

> When we remove some groupmemberships from the user, it also works.

> We've seen this with more users here (even with myself).

> This only happens when the webpage checks my account, for example sites

> that

> need to check my identity, to show my personal page..

> This happens on IIS systems and Apache windows servers.

>

> We first thought of the MaxTokenSize registry value, but that seems not to

> be the problem.

> Does anyone have seen similar issues, or has a solution for me?

>

> Thank you very much in advance.

> Arjan.

>

August 18, 2007

Re: Cannot access web page by name due to too many group membershi

Re: Cannot access web page by name due to too many group membershi

Hello Mathieu,

Thank you for all your responses.

I will try them on monday at work.

I'll get back to you with some results!

Regards,

Arjan

"Mathieu CHATEAU" wrote:

> (Sorry for sending one by one..)

>

> Do you have the /3G on the IIS Server ?

>

> --

> Cordialement,

> Mathieu CHATEAU

> http://lordoftheping.blogspot.com

>

> "Arjan Schel" <Arjan Schel@discussions.microsoft.com> wrote in message

> news:3E26B26E-F1D7-48A3-BE7F-57432BD81EE8@microsoft.com...

> > Hello,

> >

> > I'm not sure where to post this message, because it has to do with more

> > then

> > one specific area.

> > We have users who belong to more than 300 groups. These users are having

> > trouble to access certain corporate intranet websites by dns name.

> > When we try the same pages through ip-address it works.

> > When we remove some groupmemberships from the user, it also works.

> > We've seen this with more users here (even with myself).

> > This only happens when the webpage checks my account, for example sites

> > that

> > need to check my identity, to show my personal page..

> > This happens on IIS systems and Apache windows servers.

> >

> > We first thought of the MaxTokenSize registry value, but that seems not to

> > be the problem.

> > Does anyone have seen similar issues, or has a solution for me?

> >

> > Thank you very much in advance.

> > Arjan.

> >

>

August 21, 2007

Re: Cannot access web page by name due to too many group membershi

Re: Cannot access web page by name due to too many group membershi

Hello,

I have not tried how many groups have to be deleted before it works, i will

try that.

The IIS error is a 404.

I have only one forest with 3 subdomains. I'm in one of the subdomains.

We do not have the /3G switch used.

I have to check the token size, i did not change it (but maybe my collegue).

I'll inform you.

Regards,

Arjan

August 21, 2007

Re: Cannot access web page by name due to too many group membershi

Re: Cannot access web page by name due to too many group membershi

Hello,

Checked the tokensize.

The domain controllers don't have the MaxTokenSize entry, so that is default.

The intranet server has a maxtokensize entry of 65535.

I've configured my pc to have to maxtokensize of 65535 as i have with both

my DC's. I will test again and let you know.

Is a reboot neccesary perhaps?

And i cannot see where exactly i have to place the registry key of the

maxtokensize.

Is that all pc's and servers?

Regards,

Arjan

Sign In

Cannot access web page by name due to too many group memberships

Recommended Posts

Guest Arjan Schel

Popular Days

Popular Days

Guest Mathieu CHATEAU

Guest Mathieu CHATEAU

Guest Mathieu CHATEAU

Guest Mathieu CHATEAU

Guest Arjan Schel

Guest Arjan Schel

Guest Arjan Schel

Browse

Activity

Site Info