MaxTokenSize and Kerberos Token Bloat


Overview of MaxTokenSize

The MaxTokenSize by default is 12,000 bytes. This has been the default value since Windows 2000 SP2 and still remains in Windows 7 and Windows 2008 R2. As company’s grow so do the groups within your organization.  If your Kerberos token becomes too big your users will receive error messages during login and applications that use Kerberos authentication will potentially fail as well.



  Updated Guidance and Recommendations: 

In the past we had guidance that stated you could increase the MaxTokenSize registry entry to 65535. But because of HTTP’s base64 encoding of authentication context tokens limits starting with Windows Server 2012, the default value of the MaxTokenSize registry entry is 48000 bytes. This is why we are recommending that you set the MaxTokenSize no larger than 48000 bytes on any OS version.



How to reduce Kerberos token bloat

To reduce the Kerberos Ticket Size you can:

  •  Reduce/consolidate group membership
  • Clean up SID History
  • Limit the number of users that are configured to use “trusted for delegation”. The account that are configured  to use “trusted    for delegation” the buffer requirements for each SID may double.


How to prevent Kerberos login errors due to token bloat

  To allow a user to be a member of more than 900 groups you can increase the size of the MaxTokenSize by modify the following registry key on all workstations.

 To use this parameter:

  1. Start Registry Editor (Regedt32.exe).
  1. Locate and click the following key in the registry:
  1. If this key is not present, create the key. To do so:
    1. Click the following key in the registry:
    2. On the Edit menu, click Add Key.
    3. Create a Parameters key.
    4. Click the new Parameters key.
  1. On the Edit menu, click Add Value, and then add the following registry value:
    Value name:
    Data type: REG_DWORD
    Radix: Decimal
    Value data: 48000
  2. Quit Registry Editor.



However keep in mind there is a hard limit of 1,015 groups a user can be a member of. If a user tries to log into a computer by using a local or domain account and they are a member of more than 1,015 groups they will get this Logon Message: The system cannot log you on due to the following error: During a logon attempt, the user’s security context accumulated too many security IDs. Please try again or consult your system administrator.


How to use Group Policy to add the MaxTokenSize registry entry to multiple computers

New resolution for problems with Kerberos authentication when users belong to many groups

HTTP 400 – Bad Request (Request Header too long)” error in Internet Information Services (IIS);EN-US;2020943

Users who are members of more than 1,015 groups may fail logon authentication

Group Policy may not be applied to users belonging to many groups



Comments (15)

  1. Anonymous says:

    @soder, Not sure what you are referring to as not being COMPLETE? While I think your questions were answered, although perhaps not as directly as you were looking for, I ‘ll try to give it a go.

    1.) For this to be as effective as possible, this setting should be applied to ALL Windows machines in the forest. To ShaneC33’s point, this is most easily accomplished by creating and applying a Group Policy Object and linking it to the domain level.

    2.) If this GPO is applied as outlined in item 1, it will STILL be necessary to make the changes to the IIS registry settings on your IIS servers.

    Best Practice is make every effort to reduce the group memberships of the users, ensure that your Exchange Distribution lists have not been created as Security Groups (Distribution Group memberships do not contribute to token bloat), and update applications
    and operating systems as high as practical BEFORE making changes to a your forest. If these measures are not effective, then make the registry change after you have full System State backup, and then test on a handful of machines. Once you have your results
    then you can deploy via GPO.

  2. soder says:

    Issues with this article:

    1) You dont state cleary what is the scope of the registry setting above? All workstations / all member servers / all DCs / all computers in the domain / forest?

    2) if registry is set, is it still required to adjust / hand-tune all IIS servers / Exchange servers to also accept the bloated tokens?

  3. ShaneC33 says:

    Thanks for the feedback soder. I will update my blog post with recommended guidance on where the MaxTokenSize registry key should be applied to.

    To answer your questions:

    1) If you are experiencing a token bloat issue in your environment you can create a group policy and link it to your domain this way all your workstations and servers get the registry key.

    2) If you are modify the MaxTokenSize registry key on workstations and servers more than likely you will have to modify IIS. For additional guidance on increasing the MaxFieldLength and MaxRequestBytes registry settings for IIS servers see this link:…/2020943

  4. User57 says:

    "To allow a user to be a member of more than 900 groups."

    More information around how to approximately calculate the maximum number of groups a single user can be a member of would be VERY helpful  e.g. are you saying that by default that the MaxTokenSize is 12,000 bytes which is enough for a user to be a member of UP TO  900 security groups? Also how is the max number of groups calculated i.e. does the group type have an impact e.g. domain local or Global security group?  (12,000 bytes divided by x number of domain local groups )

  5. YourPeterPan says:

    @shanec33:  Technically your response is still not valid.  Link the GPO doesn't necessarily mean  it will be applied to everything in Domain.  Should say clearly , "Apply this GPO to DC, Member-Servers and all Workstations".  Please keep in mind the IIS Error thing before applying it.  

    Please correct me if I understood it wrong or miss represented something wrong.  

  6. Sushil kumar says:

    So Is there any issue if we keep MaxTokenSize registry to 65535??

  7. shyguy says:

    In case anyone wanted to know.

    Domain local group sid's are 40 bytes each in a kerberos ticket

    Domain Global and universal groups are 8 bytes each

    There is a base token size of 1200bytes

    So you can calculate a token buffer size requirement

    1200 + (40 x # of domain local groups) + (8 x  # of  global/universal)

  8. Anonymous says:

    Pingback from get-group-membership-count.ps1 – PowerSloth

  9. soder says:

    "Glad" to see after 1 year since my last visit, the resolution of this issue is still not considered to be COMPLETE in this blogpost.

  10. Chom says:

    Soder is a clown.

  11. Yatendra says:

    Still "Reboot is required or not" not mentioned in above steps, Rest all information is quite useful and easy to understand. Thank you!

  12. Abhay says:

    Reboot is Required.

  13. Igor says:

    Thx a lot. Article helped me to resolve issue on high load rms server of scom