http://blogs.technet.com/b/askds/archive/2009/06/22/internet-explorer-behaviors-with-kerberos-authentication.aspxHey Rob here again, I thought that I would share with you some of the things that we see where Internet Explorer Kerberos authentication fails. It is important to understand the default behavior of Internet Explorer and its support for Kerberos authenticationen-USTelligent Evolution Platform Developer Build (Build: 5.6.50428.7875)http://blogs.technet.com/b/askds/archive/2009/06/22/internet-explorer-behaviors-with-kerberos-authentication.aspx#3377042Thu, 23 Dec 2010 15:31:17 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3377042greener85<p>Hey bugbunny69,</p> <p>As far as one IIS Server working vs another could be as simple as the required group membership is in the truncated token on the working vs missing on the failing logon.</p> <p>If you are not seeing an answer to the 401.1 with www-negotiate response from the IIS server then it sounds like you need to troubleshoot IE if it is not sending any response back.</p> <p>You will want to make sure that the site you are going to shows up in the intranet zone. &nbsp;After that I would suggest opening a case with our IE team.</p> <p>HTH,</p> <p>Rob Greene</p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3377042" width="1" height="1">http://blogs.technet.com/b/askds/archive/2009/06/22/internet-explorer-behaviors-with-kerberos-authentication.aspx#3376598Tue, 21 Dec 2010 15:33:38 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3376598BugBunny69<p>Hi Rob,</p> <p>Thanks a lot for your answer. Unfortunately I don&#39;t have direct access to the end users computers but will check the MaxTokenSize asap.</p> <p>There is however still something unclear in my head. If the issue is related to the token size, how is possible that access to one IIS server works and not to the other one while both servers seem to hae the same config? FYI, when I do a Wireshark, I see the request sent by IE to IIS, then the negotiate answer sent by IIS to IE and then nothing.</p> <p>Thanks,</p> <p>Benoit</p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3376598" width="1" height="1">http://blogs.technet.com/b/askds/archive/2009/06/22/internet-explorer-behaviors-with-kerberos-authentication.aspx#3375836Fri, 17 Dec 2010 18:36:50 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3375836greener85<p>Hey BugBunny69,</p> <p>From the error you are stating that you are seeing it sounds like you have a problem with your Kerberos ticket size. &nbsp;</p> <p>By default a Kerberos ticket can only be 12k in size, but is allowed to get to 65,535. &nbsp;You can use the MaxTokenSize registry key value to set this.</p> <p>However, with IIS, since the Kerbeos ticket is sent in the HTTP header, you are also going to run into a problem there also because by default (for security reasons) the HTTP header size is only allowed to be 16k.</p> <p>So you will need to make some changes within IIS, and every computer in the mix and add MaxTokenSize to them (you can exclude domain controllers)</p> <p>MaxTokenSize:</p> <p>938118 How to use Group Policy to add the MaxTokenSize registry entry to multiple computers</p> <p><a rel="nofollow" target="_new" href="http://support.microsoft.com/default.aspx?scid=kb;EN-US;938118">support.microsoft.com/default.aspx</a></p> <p>327825 New resolution for problems with Kerberos authentication when users belong to many groups</p> <p><a rel="nofollow" target="_new" href="http://support.microsoft.com/default.aspx?scid=kb;EN-US;327825">support.microsoft.com/default.aspx</a></p> <p>NOTE: &nbsp;The hotfix is not needed unless you are on Windows 2000.</p> <p>Also, just as a side note, if you make sure that your forest / domain functional levels are atleast Windows Server 2003, you might fix your self if you are currently at Windows 2000 levels. &nbsp;This is because we use RID values for global group memberships after that.</p> <p>For IIS 6 and above you need to modify the following two registry keys:</p> <p>MaxRequestBytes</p> <p>MaxFieldLength </p> <p>2020943 &quot;HTTP 400 - Bad Request (Request Header too long)&quot; error in Internet Information Services (IIS)</p> <p><a rel="nofollow" target="_new" href="http://support.microsoft.com/default.aspx?scid=kb;en-US;2020943">support.microsoft.com/default.aspx</a></p> <p>Hope this helps.</p> <p>Rob Greene</p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3375836" width="1" height="1">http://blogs.technet.com/b/askds/archive/2009/06/22/internet-explorer-behaviors-with-kerberos-authentication.aspx#3374994Tue, 14 Dec 2010 17:23:56 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3374994BugBunny69<p>Hi,</p> <p>We have a very strange behaviour with IE. Could you please help?</p> <p>I have two IIS 6.0 servers (A and B).</p> <p>Both are configured to use Integrated Windows Authentication.</p> <p>1) Access to both servers works fine for hundreds of users.</p> <p>2) For a very limited number of users access works fine for server A but not for server B if access is done with Internet Explorer (same issue with IE6 and IE8). For these users, access works fine for both servers if they use Firefox or Chrome.</p> <p>3) When I check their event log, I can see:</p> <p>&quot;The kerberos SSPI package generated an output token size of size 3514 bytes, which was too large to fit in the 3510 buffer provided by process id 0.&quot;</p> <p>The solution to this issue was to reduce the number of groups of the impacted users.</p> <p>My question: how is it possible that access was working for one server and not the other one before the group reduction?</p> <p>Thanks,</p> <p>Benoit</p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3374994" width="1" height="1">http://blogs.technet.com/b/askds/archive/2009/06/22/internet-explorer-behaviors-with-kerberos-authentication.aspx#3257709Tue, 23 Jun 2009 09:38:46 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3257709Internet Explorer behaviors with Kerberos Authentication<p>PingBack from <a rel="nofollow" target="_new" href="http://www.marcvalk.net/2009/06/internet-explorer-behaviors-with-kerberos-authentication/">http://www.marcvalk.net/2009/06/internet-explorer-behaviors-with-kerberos-authentication/</a></p> <img src="http://blogs.technet.com/aggbug.aspx?PostID=3257709" width="1" height="1">