Just incase anyone else is still following this I thought I'd post an (unfortuantely useless) update. The problem I am experiencing is not due to large group memberships, and is an intermittent problem at best. Creating a user account with *much* less groups doesn't correct the problem. I will have to get the developer to add in some extra debug info me thinks.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: 22 August 2005 15:31 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User SIDs... That is a good idea, and in my case, would mean re-training (or in some cases, training for the first time) a team of ppl, and going through various hoops and jumps. I am taking that approach as well as "attempting" to troble shoot this problem. One thing I would like to clarify for those still following, does the MaxToken setting of 12000 Vs the MaxToken (complete context) 1790 value mean that Group membership is not causing a problem here ? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: 22 August 2005 14:48 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User SIDs... It sounds like you may want to consider changing your group/access strategy as well. If it takes this long to troubleshoot, I think it's worthwhile to see if it can be done better/more simply for future use. My $0.04 anyway. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Monday, August 22, 2005 6:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User SIDs... I am going to duplicate the users account (can't really be bothering them much more :-) and then remove half the groups they are in and trouble shoot from there. There are about 4 groups they have to be in to get this test working (ie log on locally perms etc) so Starting with one group isn't the easiest route forward. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 21 August 2005 18:46 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User SIDs... Well to rule out number of groups or the nesting, start with a single group and see if it works that way and then slowly back up to what you have that is failing. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Friday, August 19, 2005 12:19 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User SIDs... Sorry Ppl. Contributors to this list are so helpful that I forget that they aren't quite smart enough to read my mind, they have been able to do everything else ;-) The problem is thus: I have a user in a group, which through 4 levels of nesting is a member of the local administrators group on a server (no restricted groups or anything, just plain simple addition of the group the user is in to the local Administrators group). Call this ServerA. The local administrators group is configured in the setting "Impersonate a client after authentication". I have set up a web page in IIS (on ServerB) that attaches to ServerA to perform some folder manipulation (profile and home directory changes and the like). It does this using kerberos to pass the authentication through. The page fails, because their kerberos authentication fails. I have added the same user explicity to the "Impersonate a client after authentication" setting on ServerA, and presto, it works. Just to reiterate, The user is in less than 50 groups, including netsing results. ServerA and ServerB are both Win2k3. The domain is all Win2K DC's, SP3. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: 19 August 2005 16:36 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User SIDs... As Dean keeps saying, how about describing the actual problem as you see/experience it. Could be something totally different. I'll bet somebody here would be helpful if they knew what to help with. :) Al -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Friday, August 19, 2005 10:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User SIDs... Looks like the PAC is intact, and all SIDs are well within the limit. This is done from the user account that is exhibiting the problem. I am at a loss on this one now.... Tokensz Results: Name: Kerberos Comment: Microsoft Kerberos V1.0 Current PackageInfo->MaxToken: 12000 QueryKeyInfo: Signature algorithm = Encrypt algorithm = RSADSI RC4-HMAC KeySize = 128 Flags = 2081e Signature Algorithm = -138 Encrypt Algorithm = 23 Start:8/19/2005 16:19:12 Expiry:8/20/2005 2:16:44 Current Time: 8/19/2005 16:19:15 MaxToken (complete context) 1790 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 19 August 2005 14:56 To: Send - AD mailing list Subject: RE: [ActiveDir] User SIDs... ... it still doesn't look quite right, I'm thinking the issuing auth. is 48 bits by itself but I've no recollection as to where I'm getting that from. If the precise length constraints remain important (following everything else already posted), I'll see if I can dig it up later when I return. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, August 19, 2005 9:29 AM To: Send - AD mailing list Subject: RE: [ActiveDir] User SIDs... The URL you supplied does not relate to a problem with the length of any one specific SID, it is describing a problem relating to the overall size of all of the SIDs that represent the identity of a particular user, i.e. user SID, group SID, SID history. This identity information is known as the user's token (or PAC) and has a supported maximum (which has been steadily increasing with each iteration of the OS). Beyond (or in some cases, approaching) that maximum, many products utilizing the Windows authorization model will begin to exhibit erratic behavior or fail completely. Regarding SID construct, they're comprised of a number of elements but since I don't have the doc. to hand at the moment (though I'm certain you'll find something through google) I'll offer what I remember of their construct - Example SID - S-1-5-21-2123478354-492892223-854245498-1113 [1] [2] [2] [2] [3] Breakdown - [1] = I'm a SID, revision, issuing (or identifier) authority, sub-authorities and some additional metadata (don't recollect its size I'm afraid, I'd guess, however, at 32 bits broken down into some kind of ordered grouping to represent the afore mentioned elements) [2] = domain component (96 bits I believe) [3] = relative identifier (RID = 30 bits) In addition, you may want to locate and download a Microsoft tool named "tokensz.exe" and run something like - C:\>tokensz /compute_tokensize Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Friday, August 19, 2005 8:29 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User SIDs... Hello All, Does anyone know the default length a users SID (Win2K DC's, WinXP SP2clients ) can be before problems such as http://support.microsoft.com/?kbid=327825 <http://support.microsoft.com/?kbid=327825> start occuring ? Also, there anyway to determine the actual length of a users SID??? TIA, Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message has been scanned for viruses by MailControl - (see http://bluepages.wsatkins.co.uk/?4318150) List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/