LKBEN10644: User Domain - Login fails or has errors due to too many group memberships


This article has not been checked!

LKB | Created: 02/04/2020 | Version: 0 | Language: EN | Rating: 0 | Outdated: False | Marked for deletion: False

Author: Wim Peeters - Keskon GmbH & Co. KG


Symptom

User cannot login or misses resources provided by loginskript or group policies

Cause

User has too many group memberships for default kerberos token size

Solution

Errormessage upon user-logon:

"Error browsing user memberships - Error loading user object for user: <DOMAIN>\<USER>." and something like 'not sufficient memory for this task.' 

Other errors can be, that group policies (GPO) are not applied.

The solution can be to change the value for "MaxTokenSize" in your registry:

HKLM\System\CurrentControlSet\Control\LSA\Kerberos\Parameters

DWORD "MaxTokenSize" --> 0xFFFF (decimal 65535)

!!! this key changes kerberos authentication. The default value is 12000 (decimal).
!!! changing this key to values greater than 0xFFFF (or 65535) can cause "Timeout expired" errors in MS SQL Server communication or WBEM / RPC issues as SMS administrator

Nach einem Neustart können alle Gruppenmitgliedschaften ausgelesen werden.

About the Author

Wim Peeters is electronics engineer with an additional master in IT and over 30 years of experience including time spent in support, development, consulting, training and database administration. Wim has worked with SQL Server since version 6.5. He has developed in C/C++, Java and C# on Windows and Linux in different European countries and different European languages. He writes knowledge base articles to solve IT problems and publishes them on the Lubby Knowledge Platform where he is one of the most important contributors and the main developer.

Disclaimer:

The information provided in this document is intended for your information only. Lubby makes no claims to the validity of this information. Use of this information is at own risk!