How to Create a Fat Token

Or - “How to Create a Fat Kerberos Token of 82496 bytes!”

For testing purposes I wanted to create a user with an oversize Kerberos token. The following script does just that, creates a user called FATTOKEN, in the OU FATTOKEN, in 1000 Domain Local FATTOKENG groups, and sets “trusted for delegation”. Running the script with the -TidyUp flag does just that.

Using the Get-TokenSizeReport.ps1 from here against FATTOKEN shows:

Image: Get-TokenSizeReport shows FATTOKEN has token size 82496
Image: Get-TokenSizeReport warning of token size > 48000 bytes
The Script

Param([Switch]$TidyUp)
import-module ActiveDirectory
[String]$FATTOKEN = "FATTOKEN"
[String]$FATTOKENG = "FATTOKENG"
[String]$OUPATH = "DC=lab,DC=priv"

#######################
## FAT TOKEN CREATOR ##
#######################

IF(!$TidyUp){

  ## 1) Create FATTOKEN OU and user ## 
  $Password = Read-Host "Password for $FATTOKEN" -AsSecureString
  New-ADOrganizationalUnit -Name "$FATTOKEN"
  New-ADuser -Name "$FATTOKEN" -AccountPassword $Password -path "OU=$FATTOKEN,$OUPATH"
  Set-ADAccountControl -TrustedForDelegation:$TRUE -Identity $FATTOKEN
  Enable-ADaccount -Identity "$FATTOKEN"
   
  ## 2) Create groups ##
  for($i=1; $i -le 1000; $i++){
    New-ADGroup -Name ( "$FATTOKENG" + ([String]$i).PadLeft(4,"0") ) -groupscope DomainLocal -path "OU=$FATTOKEN,$OUPATH"
    Write-Host "Creating $FATTOKENG $i"
  }
   
  ## 3) Add FATTOKEN to the groups ## 
  for($i=1; $i -le 1000; $i++){   
    Add-ADGroupMember -Members "$FATTOKEN" -Identity ( "$FATTOKENG" + ([String]$i).PadLeft(4,"0") )
    Write-Host "$FATTOKEN being added to $FATTOKENG $i"
  }

} ELSE {

  ## 4) Tidy Up ## 
  Remove-AdUser -Identity $FATTOKEN -Confirm:$FALSE 
  for($i=1; $i -le 1000; $i++){
    Remove-AdGroup -Identity ("$FATTOKENG" + ([String]$i).PadLeft(4,"0")) -Confirm:$FALSE
    Write-Host "Removed $FATTOKENG $i"
  }
  Set-ADObject -Identity "OU=$FATTOKEN,$OUPATH" -ProtectedFromAccidentalDeletion:$FALSE
  Remove-ADOrganizationalUnit -Identity "OU=$FATTOKEN,$OUPATH" -Confirm:$FALSE   
}


Comments