AD Security Groups break Authentication

Hello,

I seem to be having a strange problem with my Active Directory user
accounts.

We have a Windows 2008 AD domain, with our only domain controller
located at a remote data center. All of our locations have connectivity
to the data center through a private MPLS network, with varying speeds.

Users at my largest office seem to lose the ability to properly
authenticate to AD if they are added to too many security groups. At
first we thought it was a specific group causing the problem, but any
new group will reproduce the issue. There doesn't seem to be any magic
number of groups that causes the problem either. Some users are already
members of 3-4 security groups, add a 5th one and authentication breaks.

When the problem occurs, users no longer seem to authenticate to the
domain. They log onto their computer and do not run the login script.
Login also takes a lot longer -- it seems to sit and wait for a while
before completing. Once the user is logged into their PC, they can't
access any networked resources. If I try and map a network drive, I'll
get prompted for credentials. Enter the credentials & I can access the
resource.

Anyone ever experienced anything like this or have any idea what might
be going on?

Thanks!

Hi Vegas

can you pls post the events esp. on DC.

Do you have Events 3210,5722,5723 from netlogon?

Best Regards
Baris DOGAN
MCT ,CCNA, MCSE 2K/2K3 + Security


"Vegas or Bust" wrote:

> Hello,
>
> I seem to be having a strange problem with my Active Directory user
> accounts.
>
> We have a Windows 2008 AD domain, with our only domain controller
> located at a remote data center. All of our locations have connectivity
> to the data center through a private MPLS network, with varying speeds.
>
> Users at my largest office seem to lose the ability to properly
> authenticate to AD if they are added to too many security groups. At
> first we thought it was a specific group causing the problem, but any
> new group will reproduce the issue. There doesn't seem to be any magic
> number of groups that causes the problem either. Some users are already
> members of 3-4 security groups, add a 5th one and authentication breaks.
>
> When the problem occurs, users no longer seem to authenticate to the
> domain. They log onto their computer and do not run the login script.
> Login also takes a lot longer -- it seems to sit and wait for a while
> before completing. Once the user is logged into their PC, they can't
> access any networked resources. If I try and map a network drive, I'll
> get prompted for credentials. Enter the credentials & I can access the
> resource.
>
> Anyone ever experienced anything like this or have any idea what might
> be going on?
>
> Thanks!
> .
>

This sounds like a MTU issue and might happen because of the IP
fragmentation that occurs over your MPLS network.
With every group added, the group SID is added to the kerberos ticket and if
that ticket won't fit in a single frame over the MPLS network, it will be
fragmented. Since this is happening over UDP, if the packets won't arrive in
order some of them will be dropped, resulting in your issue.
Check here for an explanation and how to change it to TCP:
http://support.microsoft.com/?kbid=244474

Andrei Ungureanu
www.winadmins.net

"Vegas or Bust" <> wrote in message
news:#...
> Hello,
>
> I seem to be having a strange problem with my Active Directory user
> accounts.
>
> We have a Windows 2008 AD domain, with our only domain controller located
> at a remote data center. All of our locations have connectivity to the
> data center through a private MPLS network, with varying speeds.
>
> Users at my largest office seem to lose the ability to properly
> authenticate to AD if they are added to too many security groups. At
> first we thought it was a specific group causing the problem, but any new
> group will reproduce the issue. There doesn't seem to be any magic number
> of groups that causes the problem either. Some users are already members
> of 3-4 security groups, add a 5th one and authentication breaks.
>
> When the problem occurs, users no longer seem to authenticate to the
> domain. They log onto their computer and do not run the login script.
> Login also takes a lot longer -- it seems to sit and wait for a while
> before completing. Once the user is logged into their PC, they can't
> access any networked resources. If I try and map a network drive, I'll
> get prompted for credentials. Enter the credentials & I can access the
> resource.
>
> Anyone ever experienced anything like this or have any idea what might be
> going on?
>
> Thanks!

"Vegas or Bust" <> wrote in message
news:%...
> Hello,
>
> I seem to be having a strange problem with my Active Directory user
> accounts.
>
> We have a Windows 2008 AD domain, with our only domain controller located
> at a remote data center. All of our locations have connectivity to the
> data center through a private MPLS network, with varying speeds.
>
> Users at my largest office seem to lose the ability to properly
> authenticate to AD if they are added to too many security groups. At
> first we thought it was a specific group causing the problem, but any new
> group will reproduce the issue. There doesn't seem to be any magic number
> of groups that causes the problem either. Some users are already members
> of 3-4 security groups, add a 5th one and authentication breaks.
>
> When the problem occurs, users no longer seem to authenticate to the
> domain. They log onto their computer and do not run the login script.
> Login also takes a lot longer -- it seems to sit and wait for a while
> before completing. Once the user is logged into their PC, they can't
> access any networked resources. If I try and map a network drive, I'll
> get prompted for credentials. Enter the credentials & I can access the
> resource.
>
> Anyone ever experienced anything like this or have any idea what might be
> going on?
>
> Thanks!

Although what you describe sounds like what is sometimes called "token
bloat", I don't think it can be. When the user logs on, they get a token
that has the SID of all security groups the user is a member of. This
includes all groups the user is a direct member of, plus all memberships due
to group nesting. It does not include distribution groups. If this token is
too big you should see Event Log messages similar to those in the article
linked by Andrei. However, my recollection is that this is experienced when
the user is a member of many more than 5 groups.

The number of SID's in the token should be the same as the number of values
in the tokenGroups attribute of the user. You can use ADSI Edit to view this
attribute and count the number of values in the collection. Or you can run a
script that counts the number of SID's in the tokenGroup attribute.

Another consideration is Universal Group membership, which is saved in the
Global Catalog. Unless you have Universal Group caching enabled, a GC must
be contacted during logon to determine Universal Group membership. However,
if you have only one DC (which must be a GC), this wouldn't seem to be the
problem. Except if the group that "breaks" authentication is a Universal
Group, maybe this requires extra communication with the DC. Really, you
shouldn't have any Universal Groups.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

Like Richard sais, it sounds like the user is member of too much
(nested) security groups which causes the Kerberos tokensize to exceed
the max. Those 3-4 groups you are talking about must have a lot of
subgroups nested.

Take a look at this knowlegebase article:

http://support.microsoft.com/kb/327825

When this happens the user is not known to be member of certain groups,
which can result in just about anything.

I experienced this on the job resulting mainly in unaccesable folders.

Each unique membership makes the token larger (domain local groups even
more than global groups). There is a tool called Tokensz (microsoft
download) to test the user's token size, but I don't know if it's 2008
compatible.

If the max tokensize is your problem, be aware that the MaxTokenSize
registrykey that the knowledgebase article is talking about must be set
on all computers on which these users logon to.

To generate an overview of all groupmemberships, including the nested
ones, you can download GroupMemberTree on:

http://www.ZEDA.nl/en/?postid=20100402

Good luck.

ZEDA



www.ZEDA.nl - Windows Advanced Tips & Tricks


Op 20-4-2010 16:09, Richard Mueller [MVP] schreef:
> "Vegas or Bust"<> wrote in message
> news:%...
>> Hello,
>>
>> I seem to be having a strange problem with my Active Directory user
>> accounts.
>>
>> We have a Windows 2008 AD domain, with our only domain controller located
>> at a remote data center. All of our locations have connectivity to the
>> data center through a private MPLS network, with varying speeds.
>>
>> Users at my largest office seem to lose the ability to properly
>> authenticate to AD if they are added to too many security groups. At
>> first we thought it was a specific group causing the problem, but any new
>> group will reproduce the issue. There doesn't seem to be any magic number
>> of groups that causes the problem either. Some users are already members
>> of 3-4 security groups, add a 5th one and authentication breaks.
>>
>> When the problem occurs, users no longer seem to authenticate to the
>> domain. They log onto their computer and do not run the login script.
>> Login also takes a lot longer -- it seems to sit and wait for a while
>> before completing. Once the user is logged into their PC, they can't
>> access any networked resources. If I try and map a network drive, I'll
>> get prompted for credentials. Enter the credentials& I can access the
>> resource.
>>
>> Anyone ever experienced anything like this or have any idea what might be
>> going on?
>>
>> Thanks!
>
> Although what you describe sounds like what is sometimes called "token
> bloat", I don't think it can be. When the user logs on, they get a token
> that has the SID of all security groups the user is a member of. This
> includes all groups the user is a direct member of, plus all memberships due
> to group nesting. It does not include distribution groups. If this token is
> too big you should see Event Log messages similar to those in the article
> linked by Andrei. However, my recollection is that this is experienced when
> the user is a member of many more than 5 groups.
>
> The number of SID's in the token should be the same as the number of values
> in the tokenGroups attribute of the user. You can use ADSI Edit to view this
> attribute and count the number of values in the collection. Or you can run a
> script that counts the number of SID's in the tokenGroup attribute.
>
> Another consideration is Universal Group membership, which is saved in the
> Global Catalog. Unless you have Universal Group caching enabled, a GC must
> be contacted during logon to determine Universal Group membership. However,
> if you have only one DC (which must be a GC), this wouldn't seem to be the
> problem. Except if the group that "breaks" authentication is a Universal
> Group, maybe this requires extra communication with the DC. Really, you
> shouldn't have any Universal Groups.
>

"ZEDA" <> wrote in message
news:4bcdbd05$0$22913$...
> Like Richard sais, it sounds like the user is member of too much (nested)
> security groups which causes the Kerberos tokensize to exceed the max.
> Those 3-4 groups you are talking about must have a lot of subgroups
> nested.
>
> Take a look at this knowlegebase article:
>
> http://support.microsoft.com/kb/327825
>
> When this happens the user is not known to be member of certain groups,
> which can result in just about anything.
>
> I experienced this on the job resulting mainly in unaccesable folders.
>
> Each unique membership makes the token larger (domain local groups even
> more than global groups). There is a tool called Tokensz (microsoft
> download) to test the user's token size, but I don't know if it's 2008
> compatible.
>
> If the max tokensize is your problem, be aware that the MaxTokenSize
> registrykey that the knowledgebase article is talking about must be set on
> all computers on which these users logon to.
>
> To generate an overview of all groupmemberships, including the nested
> ones, you can download GroupMemberTree on:
>
> http://www.ZEDA.nl/en/?postid=20100402
>
> Good luck.
>
> ZEDA
>

Here is a VBScript program that reports on the number of security group
memberships, and the size of the tokenGroups attribute in bytes, for a
specified user. Modify the Distinguished Name of the user for your
situation:
==========
Option Explicit
Dim objUser, arrbytGroups, lngNumber, bytSID, lngSize

Set objUser = GetObject("LDAP://cn=Jim Smith,ou=West,dc=MyDomain,dc=com")
objUser.GetInfoEx Array("tokenGroups"), 0
arrbytGroups = objUser.tokenGroups
lngNumber = UBound(arrbytGroups) + 1
Wscript.Echo "Number of security groups: " & CStr(lngNumber)
lngSize = 0
For Each bytSID In arrbytGroups
lngSize = lngSize + LenB(bytSID)
Next
Wscript.Echo "Token size in bytes: " & CStr(lngSize)
=========
The size of the tokenGroups attribute is probably not the same as the size
of the token the user gets at logon, but it is closely related.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

On Mon, 19 Apr 2010 16:15:33 -0700, Vegas or Bust
<> wrote:

>Hello,
>
>I seem to be having a strange problem with my Active Directory user
>accounts.
>
>We have a Windows 2008 AD domain, with our only domain controller
>located at a remote data center. All of our locations have connectivity
>to the data center through a private MPLS network, with varying speeds.
>
>Users at my largest office seem to lose the ability to properly
>authenticate to AD if they are added to too many security groups. At
>first we thought it was a specific group causing the problem, but any
>new group will reproduce the issue. There doesn't seem to be any magic
>number of groups that causes the problem either. Some users are already
>members of 3-4 security groups, add a 5th one and authentication breaks.
>
>When the problem occurs, users no longer seem to authenticate to the
>domain. They log onto their computer and do not run the login script.
>Login also takes a lot longer -- it seems to sit and wait for a while
>before completing. Once the user is logged into their PC, they can't
>access any networked resources. If I try and map a network drive, I'll
>get prompted for credentials. Enter the credentials & I can access the
>resource.
>
>Anyone ever experienced anything like this or have any idea what might
>be going on?
>
>Thanks!

For starters, can you provide us with an ipconfig /all of the DC and
of the client, please? This will allow us to evaluate any basic
misconfigurations, if they exist.

Thank you,


Ace

This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.

I don't have remote access to the DC (it's managed by a hosting company)
but will request a copy of the logs.

I'm seeing the following errors in the System logs on my workstation:

Event ID: 5719
Source: NETLOGON

No domain controller is available for domain XXXX due to the following:
The RPC server is unavailable. Make sure that the computer is connected
to the network and try again. If the problem persists, please contact
your domain administrator.

Event ID: 40960
Source: LSASRV

The Security System detected an attempted downgrade attack for server
cifs/xxx.xxx.xxx (the name of my file server). The failure code from
authentication protocol Kerberos was "There are currently no logon
servers available to service the logon request. (0xc000005e)

Event ID: 40961
Source: LSASRV

The Security System could not establish a secured connection with the
server cifs/xxx.xxx.xxx (again, the name of my file server). No
authentication protocol was available.

This one is in my Application logs:

Event ID: 1054
Source: Userenv

Windows cannot obtain the domain controller name for your computer
network. (A socket operation was attempted to an unreachable host.).
Group policy processing aborted.



I'll post any errors on the DC once I get a copy of the logs.

Thanks.


On 4/20/2010 1:49 AM, Baris DOGAN wrote:
> Hi Vegas
>
> can you pls post the events esp. on DC.
>
> Do you have Events 3210,5722,5723 from netlogon?
>
> Best Regards
> Baris DOGAN
> MCT ,CCNA, MCSE 2K/2K3 + Security
>
>
> "Vegas or Bust" wrote:
>
>> Hello,
>>
>> I seem to be having a strange problem with my Active Directory user
>> accounts.
>>
>> We have a Windows 2008 AD domain, with our only domain controller
>> located at a remote data center. All of our locations have connectivity
>> to the data center through a private MPLS network, with varying speeds.
>>
>> Users at my largest office seem to lose the ability to properly
>> authenticate to AD if they are added to too many security groups. At
>> first we thought it was a specific group causing the problem, but any
>> new group will reproduce the issue. There doesn't seem to be any magic
>> number of groups that causes the problem either. Some users are already
>> members of 3-4 security groups, add a 5th one and authentication breaks.
>>
>> When the problem occurs, users no longer seem to authenticate to the
>> domain. They log onto their computer and do not run the login script.
>> Login also takes a lot longer -- it seems to sit and wait for a while
>> before completing. Once the user is logged into their PC, they can't
>> access any networked resources. If I try and map a network drive, I'll
>> get prompted for credentials. Enter the credentials& I can access the
>> resource.
>>
>> Anyone ever experienced anything like this or have any idea what might
>> be going on?
>>
>> Thanks!
>> .
>>

Thank you for this. I ran it against one particularly troublesome user
and these were the results:

Number of security groups: 5
Token size in bytes: 128

Most of my users are not members of very many groups, and none of them
have nested memberships. It's a fairly basic implementation for a small
company.

Thanks.

On 4/20/2010 8:07 AM, Richard Mueller [MVP] wrote:
> Option Explicit
> Dim objUser, arrbytGroups, lngNumber, bytSID, lngSize
>
> Set objUser = GetObject("LDAP://cn=Jim Smith,ou=West,dc=MyDomain,dc=com")
> objUser.GetInfoEx Array("tokenGroups"), 0
> arrbytGroups = objUser.tokenGroups
> lngNumber = UBound(arrbytGroups) + 1
> Wscript.Echo "Number of security groups: "& CStr(lngNumber)
> lngSize = 0
> For Each bytSID In arrbytGroups
> lngSize = lngSize + LenB(bytSID)
> Next
> Wscript.Echo "Token size in bytes: "& CStr(lngSize)

Thank you for this information. I made this change on one of
workstations and it seemed to resolve the problem, however it made
everything very slow. Logging in takes multiple minutes (used to be
less than a minute), opening network resources is very slow, etc.

Any idea why this makes it so slow, or if there is a way to speed things up?

Thanks.

On 4/20/2010 2:13 AM, Andrei Ungureanu wrote:
> This sounds like a MTU issue and might happen because of the IP
> fragmentation that occurs over your MPLS network.
> With every group added, the group SID is added to the kerberos ticket
> and if that ticket won't fit in a single frame over the MPLS network, it
> will be fragmented. Since this is happening over UDP, if the packets
> won't arrive in order some of them will be dropped, resulting in your
> issue.
> Check here for an explanation and how to change it to TCP:
> http://support.microsoft.com/?kbid=244474
>
> Andrei Ungureanu
> www.winadmins.net
>
> "Vegas or Bust" <> wrote in message
> news:#...
>> Hello,
>>
>> I seem to be having a strange problem with my Active Directory user
>> accounts.
>>
>> We have a Windows 2008 AD domain, with our only domain controller
>> located at a remote data center. All of our locations have
>> connectivity to the data center through a private MPLS network, with
>> varying speeds.
>>
>> Users at my largest office seem to lose the ability to properly
>> authenticate to AD if they are added to too many security groups. At
>> first we thought it was a specific group causing the problem, but any
>> new group will reproduce the issue. There doesn't seem to be any magic
>> number of groups that causes the problem either. Some users are
>> already members of 3-4 security groups, add a 5th one and
>> authentication breaks.
>>
>> When the problem occurs, users no longer seem to authenticate to the
>> domain. They log onto their computer and do not run the login script.
>> Login also takes a lot longer -- it seems to sit and wait for a while
>> before completing. Once the user is logged into their PC, they can't
>> access any networked resources. If I try and map a network drive, I'll
>> get prompted for credentials. Enter the credentials & I can access the
>> resource.
>>
>> Anyone ever experienced anything like this or have any idea what might
>> be going on?
>>
>> Thanks!
>