Well to rule out number of groups or the nesting, start with a single group and see if it works that way and then slowly back up to what you have that is failing.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Friday, August 19, 2005 12:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] User SIDs... Sorry Ppl. Contributors to this list are so helpful that I forget that they aren't quite smart enough to read my mind, they have been able to do everything else ;-) The problem is thus: I have a user in a group, which through 4 levels of nesting is a member of the local administrators group on a server (no restricted groups or anything, just plain simple addition of the group the user is in to the local Administrators group). Call this ServerA. The local administrators group is configured in the setting "Impersonate a client after authentication". I have set up a web page in IIS (on ServerB) that attaches to ServerA to perform some folder manipulation (profile and home directory changes and the like). It does this using kerberos to pass the authentication through. The page fails, because their kerberos authentication fails. I have added the same user explicity to the "Impersonate a client after authentication" setting on ServerA, and presto, it works. Just to reiterate, The user is in less than 50 groups, including netsing results. ServerA and ServerB are both Win2k3. The domain is all Win2K DC's, SP3. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: 19 August 2005 16:36 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] User SIDs... As Dean keeps saying, how about describing the actual problem as you see/experience it. Could be something totally different. I'll bet somebody here would be helpful if they knew what to help with. :) Al -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Friday, August 19, 2005 10:49 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] User SIDs... Looks like the PAC is intact, and all SIDs are well within the limit. This is done from the user account that is exhibiting the problem. I am at a loss on this one now.... Tokensz Results: Name: Kerberos Comment: Microsoft Kerberos V1.0 Current PackageInfo->MaxToken: 12000 QueryKeyInfo: Signature algorithm = Encrypt algorithm = RSADSI RC4-HMAC KeySize = 128 Flags = 2081e Signature Algorithm = -138 Encrypt Algorithm = 23 Start:8/19/2005 16:19:12 Expiry:8/20/2005 2:16:44 Current Time: 8/19/2005 16:19:15 MaxToken (complete context) 1790 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 19 August 2005 14:56 To: Send - AD mailing list Subject: RE: [ActiveDir] User SIDs... ... it still doesn't look quite right, I'm thinking the issuing auth. is 48 bits by itself but I've no recollection as to where I'm getting that from. If the precise length constraints remain important (following everything else already posted), I'll see if I can dig it up later when I return. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, August 19, 2005 9:29 AM To: Send - AD mailing list Subject: RE: [ActiveDir] User SIDs... The URL you supplied does not relate to a problem with the length of any one specific SID, it is describing a problem relating to the overall size of all of the SIDs that represent the identity of a particular user, i.e. user SID, group SID, SID history. This identity information is known as the user's token (or PAC) and has a supported maximum (which has been steadily increasing with each iteration of the OS). Beyond (or in some cases, approaching) that maximum, many products utilizing the Windows authorization model will begin to exhibit erratic behavior or fail completely. Regarding SID construct, they're comprised of a number of elements but since I don't have the doc. to hand at the moment (though I'm certain you'll find something through google) I'll offer what I remember of their construct - Example SID - S-1-5-21-2123478354-492892223-854245498-1113 [1] [2] [2] [2] [3] Breakdown - [1] = I'm a SID, revision, issuing (or identifier) authority, sub-authorities and some additional metadata (don't recollect its size I'm afraid, I'd guess, however, at 32 bits broken down into some kind of ordered grouping to represent the afore mentioned elements) [2] = domain component (96 bits I believe) [3] = relative identifier (RID = 30 bits) In addition, you may want to locate and download a Microsoft tool named "tokensz.exe" and run something like - C:\>tokensz /compute_tokensize Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Friday, August 19, 2005 8:29 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] User SIDs... Hello All, Does anyone know the default length a users SID (Win2K DC's, WinXP SP2clients ) can be before problems such as http://support.microsoft.com/?kbid=327825 <http://support.microsoft.com/?kbid=327825> start occuring ? Also, there anyway to determine the actual length of a users SID??? TIA, Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message has been scanned for viruses by MailControl - (see http://bluepages.wsatkins.co.uk/?4318150) List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/