LKBEN10643: Domain Logon Authentication fails with more than 1015 group memberships

Symptom

Error message upon Login Failure : "...security context accumulated too many security IDs...."

Cause

User is member of too many groups

Solution

Logon Message:
"The system cannot log you on due to the following error: During a logon attempt, the user’s security context accumulated too many security IDs. Please try again or consult your system administrator"

In MS Windows Domains (W2k and W2k3) there is a maximum limit of 1024 groups, a domain user can be member of. however, because of 9 well-known SIDs inserted in the Local Security Authority (LSA), this count is limited to 1015.

If a domain user breaches this threshold (keep in mind transitive groups in a multi-domain environment!), he or she cannot logon any more until sufficient security groups are removed.

If this happens to a user as a member of the Administrators group, you need to reboot a domain controller by selecting the "Safe Mode" or "Safe Mode with Networking" startup option and log on to the domain controller by using the affected account.
After logon in Safe Mode, the administrator must identify and modify the membership of groups causing the login failure.

Note:
Logon in Safe Mode is possible, because Microsoft modified the token generation algorithm of the LSA, so that (in Safe Mode) the LSA can create an access token for the Administrator account no matter how many groups (transitive and non-transitive) the adminsitrator is member of.

Disclaimer:

About the Author

Author: Wim Peeters - Keskon GmbH & Co. KG

Wim Peeters is electronics engineer with an additional master in IT and over 30 years of experience, including time spent in support, development, consulting, training and database administration. Wim has worked with SQL Server since version 6.5. He has developed in C/C++, Java and C# on Windows and Linux. He writes knowledge base articles to solve IT problems and publishes them on the Lubby Knowledge Platform.