What does a Kerberos authentication server issue to a client that successfully authenticate?

Every time users log into a service by providing their credentials, they are potentially exposed to attacks, especially if they’re using unsafe network protocols. For instance, an attacker could use a simple packet sniffer to recover your user ID and password especially if they’re not encrypted.

Table of Contents Show

What is Kerberos?
How Kerberos Works
Advantages & disadvantages of Kerberos
Installing & using Kerberos
Related reading
Calculating the maximum token size
Known issues that affect MaxTokenSize

What does this mean? Every time I provide my credentials to a service, should I be afraid that they could be stolen? Potentially—however, there are many precautions that we should consider when accessing a service over the internet like:

Always using certified websites having https in their web address
Using CSRF protection
Disallowing framing
Logging out from applications

To address potential insecurity when using authentication, new safe protocols have been created and one of them is Kerberos.

What is Kerberos?

Kerberos is the mythological three-headed Greek creature which is guarding the gates of underworld to prevent souls from escaping. With that as its inspiration, the Massachusetts Institute of Technology developed a protocol to protect its own projects in the late 1980s.

The idea behind Kerberos is simple: authenticating users while avoiding sending passwords over the internet.

This protocol can be easily adopted even on insecure networks as it is based on a strong cryptography and it’s developed on a client-server model. Enabling a service to use Kerberos authentication is referred to as making the service “Kerberos aware”. This is actually possible for the majority of software.

How Kerberos Works

When authenticating, Kerberos uses symmetric encryption and a trusted third party which is called a Key Distribution Center (KDC).

At the moment of the authentication, Kerberos stores a specific ticket for that session on the user’s machine and any Kerberos aware service will look for this ticket instead of prompting the user to authenticate through a password.

Source: BMC Software

These are the steps in Kerberos Authentication:

PC Client logs on the domain. A Ticket-Granting Ticket (TGT) request is sent to a Kerberos KDC
The Kerberos KDC returns a TGT and a session key to the PC Client
A ticket request for the application server is sent to the Kerberos KDC. This request consists of the PC Client, TGT and an authenticator.
The Kerberos KDC returns a ticket and a session key to PC Client.
The ticket is sent to the application server. Upon receiving the ticket and the authenticator, the server can authenticate the PC Client.
The server replies to the PC Client with another authenticator. On receiving this authenticator, the PC Client can authenticate the server.

Kerberos integration is also supported by Remedy Single Sign On which is the main authentication module that is used for a great number of BMC products.

In Remedy Single Sign On, it is possible to configure a Kerberos as the authentication service. In this case, Remedy Single Sign On validates the token that is sent from a client (e.g., a browser to give access to BMC Digital Workplace) together with a KDC and lets the user log into the application using her/his Windows credential.

Advantages & disadvantages of Kerberos

Like many technical solutions, Kerberos has advantages as well as some weaknesses.

The principal advantages in adopting Kerberos as an authentication service are:

Passwords are never sent across the network because only keys are sent in an encrypted form;
Authentication is mutual, so client and server authenticate at the same steps and they are both sure they are communicating with the right counterpart;
Authentications are reusable and do not expire;
Kerberos is entirely based on open Internet standards and;
Kerberos is adopted by a huge number of industries, so any new weaknesses in its security protocol or in underlying modules are quickly corrected.

The weaknesses of Kerberos are:

If a non-authorized user has access to the Key Distribution Center, the whole authentication system is compromised.
Kerberos can only be adopted by Kerberos aware applications. It could be a problem to rewrite the code for some applications in order to make them Kerberos aware.

Installing & using Kerberos

When using Kerberos authentication in Remedy Single Sign On, you need to remember to enable Kerberos authentication for the browsers you’re using. It is not always enabled by default. Here’s how to do that for two commonly used web browsers.

For Internet Explorer:

On the Internet Options dialog box, select the Advanced tab.
Then, scroll down to the Security settings. Select the Enable Integrated Windows Authentication check box.
Click the OK button and then, restart the browser so that the settings take effect.

For Firefox:

Open Firefox and enter about:config in the address bar. Dismiss any warnings that appear.
In the Filter field, enter negotiate.
Double-click the network.negotiate-auth.trusted-uris preference. This preference lists the trusted sites for Kerberos authentication.
In the dialog box, enter the Remedy Single Sign On domain, such as rsso.bmc.com.
Click the OK button.

As you can see, Kerberos provides another way to authenticate that thwarts bad actors who hope to steal passwords. Even further, it can be effectively utilized with applications that are Kerberos aware. While there are some downsides, it’s another tool to make single-sign-on run smoothly while keeping passwords safe.

If you would like to utilize Kerberos with your BMC Remedy Single Sign On, please fill out our form and an expert will reach out to get you started.

These postings are my own and do not necessarily represent BMC's position, strategies, or opinion.

See an error or have a suggestion? Please let us know by emailing .

Article
8 minutes to read

This article helps you solve the problems of Kerberos authentication failure when a user belongs to many groups.

Applies to: Windows 10 - all editions, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2
Original KB number: 327825

Symptoms

A user who belongs to a large number of security groups has problems authenticating. When authenticating, the user may see a message such as HTTP 400 - Bad Request (Request Header too long). The user also has problems accessing resources, and the user's Group Policy settings may not update correctly.

For more information about the context of the error, see HTTP 400 Bad Request (Request Header too long) responses to HTTP requests.

Note

Under similar conditions, Windows NTLM authentication works as expected. You may not see the Kerberos authentication problem unless you analyze the Windows behavior. However, in such scenarios, Windows may not be able to update Group Policy settings.

This behavior occurs in any of the currently supported Windows versions. For information about the currently supported versions of Windows, see Windows lifecycle fact sheet.

Cause

The user cannot authenticate because the ticket that Kerberos builds to represent the user is not large enough to contain all of the user's group memberships.

As part of the Authentication Service Exchange, Windows builds a token to represent the user for purposes of authorization. This token (also called an authorization context) includes the security identifiers (SID) of the user, and the SIDs of all of the groups that the user belongs to. It also includes any SIDs that are stored in the user account's sIDHistory attribute. Kerberos stores this token in the Privilege Attribute Certificate (PAC) data structure in the Kerberos Ticket-Getting Ticket (TGT). Starting with Windows Server 2012, Kerberos also stores the token in the Active Directory Claims information (Dynamic Access Control) data structure in the Kerberos ticket. If the user is a member of a large number of groups, and if there are many claims for the user or the device that is being used, these fields can occupy lots of spaces in the ticket.

The token has a fixed maximum size (MaxTokenSize). Transport protocols such as remote procedure call (RPC) and HTTP rely on the MaxTokenSize value when they allocate buffers for authentication operations. MaxTokenSize has the following default value, depending on the version of Windows that builds the token:

Windows Server 2008 R2 and earlier versions, and Windows 7 and earlier versions: 12,000 bytes
Windows Server 2012 and later versions, and Windows 8 and later versions: 48,000 bytes

Generally, if the user belongs to more than 120 universal groups, the default MaxTokenSize value does not create a large enough buffer to hold the information. The user cannot authenticate and may receive an out of memory message. Additionally, Windows may not be able to apply Group Policy settings for the user.

Note

Other factors also affect the maximum number of groups. For example, SIDs for global and domain-local groups have smaller space requirements. Windows Server 2012 and later versions add claim information to the Kerberos ticket, and also compress resource SIDs. Both features change the space requirements.

Resolution

To resolve this problem, update the registry on each computer that participates in the Kerberos authentication process, including the client computers. We recommend that you update all of your Windows-based systems, especially if your users have to log on across multiple domains or forests.

On each of these computers, set the MaxTokenSize registry entry to a larger value. You can find this entry in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters subkey. The computers have to restart after you make this change.

For more information about determining a new value for MaxTokenSize, see the Calculating the maximum token size section of this article.

For example, consider a user who is using a web application that relies on a SQL Server client. As part of the authentication process, the SQL Server client passes the user's token to a back-end SQL Server database. In this case, you would need to configure the MaxTokenSize registry entry on each of the following computers:

The client computer that is running Internet Explorer
The web server running that is running IIS
The SQL Server client computer
The SQL Server database computer

In Windows Server 2012 (and later versions), Windows can log an event (Event ID 31) if the token size passes a certain threshold. To enable this behavior, you have to configure the Group Policy setting Computer Configuration\Administrative Templates\System\KDC\Warning for large Kerberos tickets.

Calculating the maximum token size

Use the following formula to calculate the size of the token that Windows generates for a particular user. This calculation helps you determine whether you need to change MaxTokenSize.

TokenSize = 1200 + 40d + 8s

For Windows Server 2012 (and later versions), this formula defines its components as follows:

1200. The estimated overhead value for a Kerberos ticket. This value can vary, depending on factors such as the length of the DNS domain name and the length of the client name.
d. The sum of the following values:
- The number of memberships in universal groups that are outside the user's account domain.
- The number of SIDs stored in the account's sIDHistory attribute. This value counts group memberships and user SIDs.
s. The sum of the following values:
- The number of memberships in universal groups that are inside the user's account domain.
- The number of memberships in domain-local groups.
- The number of memberships in global groups.

Windows Server 2008 R2 and earlier versions use the same formula. However, these versions consider the number of domain-local group memberships to be part of the d value instead of the s value.

If you have a MaxTokenSize value of 0x0000FFFF (64K), you may be able to buffer approximately 1600 d-class SIDs or approximately 8000 s-class SIDs. However, a number of other factors influence the value that you can safely use for MaxTokenSize, including the following:

If you use trusted for delegation accounts, each SID requires twice as much space.
If you have multiple trusts, configure the trusts to filter SIDs. This configuration reduces the impact of the Kerberos ticket size.
If you are using Windows Server 2012 or a later version, the following factors also affect the SID space requirements:
- There is a new scheme for compressing the SIDs in the PAC. For more information, see KDC Resource SID Compression. This feature reduces the size needed for SIDs in the ticket.
- Dynamic Access Control adds Active Directory claims to the ticket, increasing the size requirements. However, after you deploy claims with Windows Server 2012 file servers, you can expect to phase out a significant number of groups that control file access. This reduction can in turn reduce the size needed in the ticket. For more information, see Dynamic Access Control: Scenario Overview.
If you have configured Kerberos to use unconstrained delegation, you have to double the TokenSize value from the formula in order to obtain a valid estimate of MaxTokenSize.

Important

In 2019, Microsoft shipped updates to Windows that changed the default configuration of unconstrained delegation for Kerberos to disabled. For more information, see Updates to TGT delegation across incoming trusts in Windows Server.

As resource SID compression is widely used and unconstrained delegation is deprecated, MaxTokenSize of 48000 or larger should become sufficient for all scenarios.

Known issues that affect MaxTokenSize

A MaxTokenSize value of 48,000 bytes should be sufficient for most implementations. This is the default value in Windows Server 2012 and later versions. However, if you decide to use a larger value, review the known issues in this section.

Size limit of 1,010 group SIDs for the LSA access token

This issue is similar in that a user who has too many group memberships cannot authenticate, but the calculations and conditions that govern the issue are different. For example, the user may encounter this issue while using either Kerberos authentication or Windows NTLM authentication. For more information, see Logging on a user account that is a member of more than 1,010 groups may fail on a Windows Server-based computer.
Known issue when using values of MaxTokenSize larger than 48,000

To mitigate a denial of service attack vector, Internet Information Server (IIS) uses a limited HTTP request buffer size of 64 KB. A Kerberos ticket that is part of an HTTP request is encoded as Base64 (6 bits expanded to 8 bits). Therefore, the Kerberos ticket is using 133 percent of its original size. Therefore, when the maximum buffer size is 64 KB in IIS, the Kerberos ticket can use 48,000 bytes.

If you set the MaxTokenSize registry entry to a value that is larger than 48000 bytes, and the buffer space is used for SIDs, an IIS error may occur. However, if you set the MaxTokenSize registry entry to 48,000 bytes, and you use the space for SIDs and claims, a Kerberos error occurs.

For more information about IIS buffer sizes, see How to limit the header size of the HTTP transmission that IIS accepts from a client in Windows 2000.
Known issues when using values of MaxTokenSize larger than 65,535

Previous versions of this article discussed values of up to 100,000 bytes for MaxTokenSize. However, we have found that versions of SMS Administrator have problems when the MaxTokenSize is 100,000 bytes or larger.

We have also identified that the IPSEC IKE protocol does not allow a security BLOB to become larger than 66,536 bytes, and it would also fail when MaxTokenSize is set to a larger value.