Windows 2003 Cannot access web page by name due to too many group memberships

  • Thread starter Thread starter Arjan Schel
  • Start date Start date
A

Arjan Schel

Hello,

I'm not sure where to post this message, because it has to do with more then
one specific area.
We have users who belong to more than 300 groups. These users are having
trouble to access certain corporate intranet websites by dns name.
When we try the same pages through ip-address it works.
When we remove some groupmemberships from the user, it also works.
We've seen this with more users here (even with myself).
This only happens when the webpage checks my account, for example sites that
need to check my identity, to show my personal page..
This happens on IIS systems and Apache windows servers.

We first thought of the MaxTokenSize registry value, but that seems not to
be the problem.
Does anyone have seen similar issues, or has a solution for me?

Thank you very much in advance.
Arjan.
 
hello,

is it 300 direct, security group membership ?
Or is that the full total of direct AND nested group membership ?

How many group do you must take off to get it working ? 10 ?

Any error on the IIS (eventlog, 500...) ?

Do you have a multi-forest with universal groups ?

Can your application be in "debug" mode to dump the groups it finds for your
account (to check if some are missing) ?

Maybe a special caracter in one group name ?

Did you anyway try to raise the MaxTokenSize ?




--
Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com


"Arjan Schel" <Arjan Schel@discussions.microsoft.com> wrote in message
news:3E26B26E-F1D7-48A3-BE7F-57432BD81EE8@microsoft.com...
> Hello,
>
> I'm not sure where to post this message, because it has to do with more
> then
> one specific area.
> We have users who belong to more than 300 groups. These users are having
> trouble to access certain corporate intranet websites by dns name.
> When we try the same pages through ip-address it works.
> When we remove some groupmemberships from the user, it also works.
> We've seen this with more users here (even with myself).
> This only happens when the webpage checks my account, for example sites
> that
> need to check my identity, to show my personal page..
> This happens on IIS systems and Apache windows servers.
>
> We first thought of the MaxTokenSize registry value, but that seems not to
> be the problem.
> Does anyone have seen similar issues, or has a solution for me?
>
> Thank you very much in advance.
> Arjan.
>
 
you can use this tool to check the token size:
Tokensz
http://www.microsoft.com/downloads/...a5-cf20-43fb-9483-0f0b0dae265c&DisplayLang=en


--
Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com


"Arjan Schel" <Arjan Schel@discussions.microsoft.com> wrote in message
news:3E26B26E-F1D7-48A3-BE7F-57432BD81EE8@microsoft.com...
> Hello,
>
> I'm not sure where to post this message, because it has to do with more
> then
> one specific area.
> We have users who belong to more than 300 groups. These users are having
> trouble to access certain corporate intranet websites by dns name.
> When we try the same pages through ip-address it works.
> When we remove some groupmemberships from the user, it also works.
> We've seen this with more users here (even with myself).
> This only happens when the webpage checks my account, for example sites
> that
> need to check my identity, to show my personal page..
> This happens on IIS systems and Apache windows servers.
>
> We first thought of the MaxTokenSize registry value, but that seems not to
> be the problem.
> Does anyone have seen similar issues, or has a solution for me?
>
> Thank you very much in advance.
> Arjan.
>
 
to calculate yourself:

New resolution for problems with Kerberos authentication when users belong
to many groups
http://support.microsoft.com/kb/327825

TokenSize = 1200 + 40d + 8s
This formula uses the following values:
• d: The number of domain local groups a user is a member of plus the number
of universal groups outside the user's account domain plus the number of
groups represented in security ID (SID) history.
• s: The number of security global groups that a user is a member of plus
the number of universal groups in a user's account domain.
• 1200: The estimated value for ticket overhead. This value can vary
depending on factors such as DNS domain name length, client name, and other
factors.


--
Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com


"Arjan Schel" <Arjan Schel@discussions.microsoft.com> wrote in message
news:3E26B26E-F1D7-48A3-BE7F-57432BD81EE8@microsoft.com...
> Hello,
>
> I'm not sure where to post this message, because it has to do with more
> then
> one specific area.
> We have users who belong to more than 300 groups. These users are having
> trouble to access certain corporate intranet websites by dns name.
> When we try the same pages through ip-address it works.
> When we remove some groupmemberships from the user, it also works.
> We've seen this with more users here (even with myself).
> This only happens when the webpage checks my account, for example sites
> that
> need to check my identity, to show my personal page..
> This happens on IIS systems and Apache windows servers.
>
> We first thought of the MaxTokenSize registry value, but that seems not to
> be the problem.
> Does anyone have seen similar issues, or has a solution for me?
>
> Thank you very much in advance.
> Arjan.
>
 
(Sorry for sending one by one..)

Do you have the /3G on the IIS Server ?

--
Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com


"Arjan Schel" <Arjan Schel@discussions.microsoft.com> wrote in message
news:3E26B26E-F1D7-48A3-BE7F-57432BD81EE8@microsoft.com...
> Hello,
>
> I'm not sure where to post this message, because it has to do with more
> then
> one specific area.
> We have users who belong to more than 300 groups. These users are having
> trouble to access certain corporate intranet websites by dns name.
> When we try the same pages through ip-address it works.
> When we remove some groupmemberships from the user, it also works.
> We've seen this with more users here (even with myself).
> This only happens when the webpage checks my account, for example sites
> that
> need to check my identity, to show my personal page..
> This happens on IIS systems and Apache windows servers.
>
> We first thought of the MaxTokenSize registry value, but that seems not to
> be the problem.
> Does anyone have seen similar issues, or has a solution for me?
>
> Thank you very much in advance.
> Arjan.
>
 
Re: Cannot access web page by name due to too many group membershi

Hello Mathieu,

Thank you for all your responses.
I will try them on monday at work.
I'll get back to you with some results!

Regards,
Arjan

"Mathieu CHATEAU" wrote:

> (Sorry for sending one by one..)
>
> Do you have the /3G on the IIS Server ?
>
> --
> Cordialement,
> Mathieu CHATEAU
> http://lordoftheping.blogspot.com
>
>
> "Arjan Schel" <Arjan Schel@discussions.microsoft.com> wrote in message
> news:3E26B26E-F1D7-48A3-BE7F-57432BD81EE8@microsoft.com...
> > Hello,
> >
> > I'm not sure where to post this message, because it has to do with more
> > then
> > one specific area.
> > We have users who belong to more than 300 groups. These users are having
> > trouble to access certain corporate intranet websites by dns name.
> > When we try the same pages through ip-address it works.
> > When we remove some groupmemberships from the user, it also works.
> > We've seen this with more users here (even with myself).
> > This only happens when the webpage checks my account, for example sites
> > that
> > need to check my identity, to show my personal page..
> > This happens on IIS systems and Apache windows servers.
> >
> > We first thought of the MaxTokenSize registry value, but that seems not to
> > be the problem.
> > Does anyone have seen similar issues, or has a solution for me?
> >
> > Thank you very much in advance.
> > Arjan.
> >
>
>
 
Re: Cannot access web page by name due to too many group membershi

Hello,

I have not tried how many groups have to be deleted before it works, i will
try that.
The IIS error is a 404.
I have only one forest with 3 subdomains. I'm in one of the subdomains.
We do not have the /3G switch used.

I have to check the token size, i did not change it (but maybe my collegue).
I'll inform you.

Regards,
Arjan
 
Re: Cannot access web page by name due to too many group membershi

Hello,

Checked the tokensize.
The domain controllers don't have the MaxTokenSize entry, so that is default.
The intranet server has a maxtokensize entry of 65535.
I've configured my pc to have to maxtokensize of 65535 as i have with both
my DC's. I will test again and let you know.
Is a reboot neccesary perhaps?
And i cannot see where exactly i have to place the registry key of the
maxtokensize.
Is that all pc's and servers?

Regards,
Arjan
 
Back
Top