



Resource SID Compression in Windows Server 2012 may cause Authorization problems on devices that do not support Resource SID compression (EN) |
Symptoms When accessing file shares hosted on devices that do not support Resource SID compression, after deploying Windows Server 2012 domain controllers, the following symptoms may be observed. Connections to mapped network drives using the format \\servername\sharename\subfolder fail with Access Denied Note: Connecting to the same path by using the IP address will always work. Access to resources that are controlled by membership of Resource group will fail. Cause This problem occurs under the following conditions:
Resolution There are two ways to resolve a Kerberos Resource SID Compression interoperability issue Resolution 1: (preferred) The preferred resolution to resource SID compression interoperability is to turn on the disable Resource Group Compression bit (0x80000) in msDS-SupportedEncryptionTypes attribute of the object in Active Directory that is the principal representing the security context of the target service/Device. To produce the correct value, you need to
Alternatively, you can use the following Windows PowerShell script to disable resource SID compression on the given security principal DisableKerbGroupCompression.ps1 --------------------------------------------------------------------------------------------------------------------------------- # # Script to Disable Kerberos Group SID Compression # -------------------------------------------------------------------------------------------------------------------------------- param( $principalName) -------------------------------------------------------------------------------------------------------------------------------- $newValue = 0 -------------------------------------------------------------------------------------------------------------------------------- # Get the AD principal and value $obj = get-adobject -Filter {(cn -like $principalName)} -Properties * if($obj -eq $null) { Write-Host "Cannot find $principalName in the directory" break } -------------------------------------------------------------------------------------------------------------------------------- $newValue = $value = $obj."msDS-SupportedEncryptionTypes" $msgBefore =$msgAfter = "Resource group compression status on principal {0}: " -f $principalName -------------------------------------------------------------------------------------------------------------------------------- {$msgBefore += "Enabled"} else {$msgBefore += "Disabled"} -------------------------------------------------------------------------------------------------------------------------------- Write-Host $msgBefore -------------------------------------------------------------------------------------------------------------------------------- if( ($value -band 0x00080000) -eq 0) #enable the disable bit {$newValue = $value -bor 0x00080000} -------------------------------------------------------------------------------------------------------------------------------- if($newValue -ne $value) #update if values are different { Set-ADObject $obj -Replace @{"msDS-SupportedEncryptionTypes"=$newValue} -------------------------------------------------------------------------------------------------------------------------------- if( ($newvalue -band 0x0080000) -eq 0) {$msgAfter += "Enabled"} else {$msgAfter += "Disabled"} -------------------------------------------------------------------------------------------------------------------------------- Write-Host $msgAfter } else { Write-Host "Resource group compression did not change."} -------------------------------------------------------------------------------------------------------------------------------- Syntax DisableKerbGroupCompression.ps1 objectName Resolution 2: This resolution should be used only when resolution one cannot be used. This resolution disables resource SID compression on an individual Windows Server 2012 domain controller (KDC). You must apply this setting to each Windows Server 2012 domain controller to ensure the domain controllers do not issue tickets that use resource group SID compression. Resource SID compression is on by default; however, you can disable it. You disable resource SID compression on a Windows Server 2012 KDC using the DisableResourceGroupsFields registry value under the HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kdc\Parameters registry key. This registry value has a DWORD registry value type. You completely disable resource SID compression when you set the registry value to 1. The KDC reads this configuration when building a service ticket. With the bit enabled, the KDC does not use resource SID compression when building the service ticket. More Information KDC Resource SID Compression Kerberos authentication inserts security identifiers (SIDs) of the security principal, SID history, all the groups to which the user is a member including universal groups and groups from the resource domain. Security principals with too many group memberships greatly affect the size of the authentication data. Sometimes the authentication data is larger than the allocated size reported by Kerberos to applications. This can causes authentication failure in some applications. SIDs from the resource domain share the same domain portion of the SID, these SIDs can be compressed by only providing the resource domain SID once for all SIDs in the resource domain. Windows Server 2012 KDCs help reduce the size of the PAC by taking advantage of resource SID compression. By default, a Windows Server 2012 KDC will always compress resource SIDs. To compress resource SIDs, the KDC stores SID of the resource domain to which the target resource is a member. Then, it inserts only the RID portion of each resource SID into the ResourceGroupIds portion of the authentication data. Resource SID Compression reduces the size of each stored instance of a resource SID because the domain SID is stored once rather than with each instance. Without resource SID Compression, the KDC inserts all the SIDs added by the resource domain in the Extra-SID portion of the PAC structure, which is a list of SIDs. [MS-KILE] Interoperability Some Kerberos implementations may not understand resource group compression and therefore are not compatible. In these scenarios, you may need to disable resource group compression to allow the Windows Server 2012 KDC to interoperate with the third-party Kerberos implementation. |
The latest tutorials
About Tunit
Tunit helps you plan your Microsoft systems integration and administration.
Certainly, having a good Management of your IT systems improve your Business performance while it can, when it is poorly managed, obstruct the responsiveness and efficiency of your organization. We are here to help you so do not hesitate to follow us.
View more