Firewall Client Error when Browsing a Web Site

Last week I was working on a very interesting case where only one specific user was having a problem browsing Internet through ISA Server 2006. When this specific user was trying to access Internet he receives a page with a time out error message and Firewall client turns red immediately. Interesting part was that regardless of the client workstation where this user was logged in, the behavior always was the same.

 

The approach used to identify what was going on was:

· Use LDIFDE utility to dump the user account that works and compare to the user account that doesn’t work. You can see more details on how use this utility using https://support.microsoft.com/kb/271201

· Use ISA Data Packager on the ISA Server in repro mode using Web Proxy and Web Publishing template.

· User ISA Data Packager on the client side using Firewall Client template.

 

Here are some interesting points that were found:

· The user that was having problem was member of hundreds of groups.

· Netmon trace shows KRB5KRB_ERR_RESPONSE_TOO_BIG, which according to https://technet.microsoft.com/en-us/library/bb463166.aspx means “too much data”.

 

It boils down that the issue was exactly that, the user belongs to many groups and therefore the Kerberos token size was too big. To workaround on that, the following registry key was added to the client workstation:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\MaxTokenSize = 65535

 

To confirm that you are having this problem you can also use the tool Tokensz and verify how big it is your Kerberos token.