Hi, With Domain functional level "Windows Server 2012" comes a new Group Policy to set a maximum for the Kerberos SSPI context token buffer size.
https://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels(v=ws.10).aspx https://technet.microsoft.com/en-us/library/hh831747.aspx (Search for "Group Policy to set a maximum for the Kerberos SSPI context token buffer size") Maybe this setting could fix your problem. Best regards, Thomas -----Ursprüngliche Nachricht----- Von: kerberos-boun...@mit.edu [mailto:kerberos-boun...@mit.edu] Im Auftrag von Jerry Shipman Gesendet: Dienstag, 15. November 2016 20:04 An: kerberos@mit.edu Betreff: AD integration (ticket size) question Hello, This is probably not a great question for this list -- I apologize. But, I figured you all would have a better idea than I do. We have cross-realm authentication with an Active Directory installation. We run into occasional issues with the AD kerberos tickets being too large to fit into applications buffers, etc -- I guess because of all the group information in the PAC (i.e. users who are in a lot of AD groups have larger tickets). On my side of the integration, we're never using that PAC information anyway. Is there a way that I can get rid of that information, either on the KDC side or on the client side? I am thinking things like: 1. maybe there is a way in the kerberos client code to make the request to AD, to ask it not to put that stuff in there, and give a smaller ticket? 2. or maybe there is a configuration option on the MIT KDC, that will strip that information out while it's building the tickets for the MIT realm? (I'm not sure if this is technically possible.) 3. or maybe there is a configuration option on AD to tell it to filter out that information when it is issuing cross-realm tickets just to that one (MIT) realm? Or something I didn't think of. I don't know if I would be able to implement any of those, even if they are possible...but, I am curious about whether there are any options. Thanks a lot, Jerry Shipman ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________ Klinikum Nürnberg, Sitz: Nürnberg, Amtsgericht Nürnberg -Registergericht- HRA 14190, Vorstand: Dr. Alfred Estelmann ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
