Home  Previous page


KDC Resource SID Compression (EN)

KDC Resource SID Compression is a feature that was introduced on Windows Server 2012 Domain Controllers.

 

Its purpose is to minimize the risk of having Kerberos authentication failures on applications when a user belongs to many groups.

 

 

Why a user may face Kerberos authentication failures when he belongs to many groups?

 

Kerberos uses a buffer to store authorization information. This buffer has a maximum size that is used by protocols like RPC and HTTP to allocate memory for authentication. If this size was exceeded then the authentication will fail using these protocols.

 

On Windows systems, the maximum size of this buffer is stored in MaxTokenSize registry entry and has the following default values.

 

MaxTokenSize

 

Operating System

MaxTokenSize (bytes)

Windows 2000 (Original release version)

8000

Windows 2000 Service Pack 2

12000

Windows Server 2003

12000

Windows Server 2003 R2

12000

Windows Server 2008

12000

Windows Server 2008 R2

12000

Windows Server 2012

48000

 

More info

 

Problems with Kerberos authentication when a user belongs to many groups:

http://support.microsoft.com/kb/327825/en-us

 

 

What is KDC Resource SID Compression?

 

KDC (Key Distribution Center) builds service tickets to be used by clients for authentication and establishing a service session with servers. The service tickets contain resource SIDs that Resource SID Compression feature allows their compression to have an optimized size for the tickets.

 

In fact, KDC behaves like the following:

 

KDC Resource SID Compression Enabled

KDC Resource SID Compression Disabled

How resource SIDs are stored

The KDC stores the resource domain SID and will insert only the RID portion of SIDs added by the resource domain.

The KDC stores all SIDs added by the resource domain

Used field

ResourceGroupIds

Extra-SID

 

 

More info

Management of SIDs in Active Directory:  directdoc.asp?docid=1748

 

By following this approach, the size of the buffer used to store authorization information will significantly decrease and the risk of exceeding its maximum size becomes lower.

 

 

What are the known issues for KDC Resource SID Compression feature?

 

Microsoft already identified that KDC Resource SID Compression feature may cause authentication problems on NAS devices.

 

Systems that do not understand how this compression work may face the same problems.

 

More info

 

Resource SID Compression in Windows Server 2012 may cause authentication problems on NAS devices: http://support.microsoft.com/kb/2774190/en-us

 

 

Is it possible to disable KDC Resource SID Compression feature on Domain Controllers?

 

By default, KDC Resource SID Compression feature is enabled on new Windows Server 2012 Domain Controllers.

 

This can be disabled by updating the DisableResourceGroupsFields  registry value to be equal to 1 (under HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kdc\Parameters registry key).

 

See also

·       SID Compression