In my lab environment,
the answer is “nothing different to if the packet size is less than 12000 Bytes”.
I’d been hoping for a different result, never mind...
From this
post by Shane Cothran:
“The MaxTokenSize
by default is 12000
bytes. ... since Windows 2000 SP2 and still remains in Windows 7 and Windows
2008 R2. ... with Windows Server 2012, the default value of the MaxTokenSize
registry entry is 48000
bytes. ... we are recommending ... MaxTokenSize no larger than 48000 bytes...”
My lab contains Windows 7 and Windows 2008 R2, so,
manufacturing a user with a Kerberos ticket size of > 12000 Bytes should
lead to something interesting (it didn’t.)
After reading Problems with Kerberos
authentication when a user belongs to many groups and from Shane Cothran’s
post “keep in mind there is a hard limit
of 1,015 groups a
user can be a member of” - creating a user with a lot of groups seems like
a good start to get to the 12000 bytes size.
Using PowerShell
to Create Groups and add to a User Account
PS
C:\> Get-Module -ListAvailable
PS
C:\> Import-Module ActiveDirectory
Creating a group using PowerShell:
PS
C:\> NEW-ADGroup –name “group1” –groupscope Global –path “OU=test,DC=lab,DC=priv”
This can be scripted to create 1000 groups.
Then create a user and add it to a group:
PS
C:\> Add-ADGroupMember -Identity “group1” -Members “testuser”
And repeat for all 1000 groups.
Testing Part 1
Connect to a CIFS share - with a user that’s not got over
900 groups - from a test machine.
c:\>whoami
lab\naadmin
c:\>net
use T: \\priclu1v1-cli\v_PKD$
The
command completed successfully.
c:\>ipconfig
IPv4 Address. . . . . . . . . . . :
10.10.10.31
And confirm we are indeed using Kerberos:
PRICLU1::>
cifs session show -fields auth-mechanism,address,windows-user
node vserver
address auth-mechanism
windows-user
--------
--------- ----------- -------------- ------------
NACLU1N1
PRICLU1V1 10.10.10.31 Kerberos
LAB\NAADMIN
Then try connecting with the testuser created above. Does
it work or not?
C:\Users\testuser>whoami
lab\testuser
C:\Users\testuser>net
use T: \\priclu1v1-cli\v_PKD$
The
command completed successfully.
C:\Users\testuser>ipconfig
IPv4 Address. . . . . . . . . . . :
10.10.10.31
PRICLU1::>
cifs session show -fields auth-mechanism,address,windows-user
node vserver
address auth-mechanism
windows-user
--------
--------- ----------- -------------- ------------
NACLU1N1
PRICLU1V1 10.10.10.31 Kerberos
LAB\testuser
It does indeed work and it’s using Kerberos.
Increasing the
Size of the Kerberos Ticket
The token size was not greater than 12000 bytes.
Using the Get-TokenSizeReport.ps1 from:
Checking
the token of user testuser in domain LAB.PRIV
There
are 1001 groups in the token.
-
1 are domain local security groups.
-
1000 are domain global scope security groups inside the users domain.
-
0 are domain global scope security groups outside the users domain.
-
0 are universal security groups inside the users domain.
-
0 are universal security groups outside the users domain.
The
primary group is Domain Users.
There
are 0 SIDs in the users SIDHistory.
The
current userAccountControl value is 66048.
Token
size is 9240 and
the user is not trusted for delegation.
So, thet’s trust it for delegation to increase the size
of the Kerberos ticket.
Using instructions from Suprej
Venkat's blog to make the ‘Delegation’ tab appear in Windows Server 2008:
C:\Users\Administrator>setspn
-A HTTP/test.lab.priv LAB\testuser
Registering
ServicePrincipalNames for CN=testuser,OU=~USERS,DC=lab,DC=priv
HTTP/test.lab.priv
Updated
object
Image: Trusting a
User for Delegation
This makes the token size:
Checking
the token of user testuser in domain LAB.PRIV
There
are 1001 groups in the token.
-
1 are domain local security groups.
-
1000 are domain global scope security groups inside the users domain.
-
0 are domain global scope security groups outside the users domain.
-
0 are universal security groups inside the users domain.
-
0 are universal security groups outside the users domain.
The
primary group is Domain Users.
There
are 0 SIDs in the users SIDHistory.
The
current userAccountControl value is 590336.
Token
size is 18480 and the user is trusted for delegation.
Processed
8 of 8 user accounts = 100.00 % complete.
Over
18480 bytes, so we
try again:
Testing Part 2
C:\Users\testuser>net
use T: \\priclu1v1-cli\v_PKD$
The
command completed successfully.
PRICLU1::>
cifs session show -fields auth-mechanism,address,windows-user
node vserver
address auth-mechanism
windows-user
--------
--------- ----------- -------------- ------------
NACLU1N1
PRICLU1V1 10.10.10.31 Kerberos
LAB\testuser
And it still works!
(Which was not what
I’d been expecting - I guess the Kerberos ticket size got increased by a
Windows update sometime?)
Further Reading
Comments
Post a Comment