I have been testing domain based DFS (Windows 2000 Server mode) for the past few days and was hit with an issue which took me 2 days to solve it. Although the servers are Windows Server 2008 but our domain and forest functional level are still at 2003.
After setting up the DFS share, I was all ready to access the share using my Windows 7 computer. I typed in the path \\mydomain.com\test\share and received an error message that bothered me for the next 2 days.
Now if I used the server name instead of the domain name, it works fine. Then I tried accessing the \\mydomain.com\test\share share using Windows XP with SP3 and it works. Tried on Windows Server 2003 and it also works.
So I thought it is Windows 7 problem so I asked another colleague also using Windows 7 to try it but it works for him! Then I logged on my Windows 7 and it works as well. So the problem is not exactly Windows 7. I started to google, hoping to find someone in the same situation as me. In fact, I did find a few but none of the solution works for me. Here are the possible solution I found on my journey to nail down this issue.
A hotfix from Microsoft “You cannot access a DFS share through a mapped network drive on a computer that is running Windows 7 or Windows Server 2008 R2”.
Disable IPv6. Was already disabled on my computer and the servers.
Turing off UAC “After you turn on User Account Control in Windows Vista, programs may be unable to access some network locations”. Already turned off.
Lower down the authentication level on Windows 7 http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/63b92708-b86d-4526-b8d9-c3c02cfde408. Our XP and Windows 2003 machines are at the same authentication level as Windows 7.
Flush the cache using the dfsutil.exe (dfsutil /pktflush).
I tried all the suggestion but none solves my issue. I was pulling my hair on this ( no wonder I am losing so much hair these days). Now, did I say it does work on my Windows 7 computer using another account but not my account. But using my account on Windows XP and Windows 2003 is also working. Hmmm…., could it be Windows 7 plus my account that caused the issue?
Well, it turned out to be the case. When I looked at the System event log on my Windows 7, I am seeing the following warning.
Log Name: System
Source: Microsoft-Windows-Security-Kerberos
Date: 1/11/2011 1:10:58 PM
Event ID: 6
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: MYWin7.mydomain.com
Description:
The kerberos SSPI package generated an output token of size 13907 bytes, which was too large to fit in the token buffer of size 12000 bytes, provided by process id 952.
The output SSPI token being too large is probably the result of the user justme@mydomain.com being a member of a large number of groups.
It is recommended to minimize the number of groups a user belongs to. If the problem can not be corrected by reduction of the group memberships of this user, please contact your system administrator to increase the maximum token size, which in term is configured machine-wide via the following registry value: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\MaxTokenSize.
This link http://technet.microsoft.com/en-us/library/dd348689(WS.10).aspx describes the event and the solution.
One of the workaround stated is to increase the token size all the KDC servers. However, I did try increasing it on my Windows 7 computer and after that I can access the share. But it throws another warning in the System event log.
Log Name: System
Source: Microsoft-Windows-Security-Kerberos
Date: 1/11/2011 1:16:11 PM
Event ID: 15
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: MYWin7.mydomain.com
Description:
The kerberos SSPI package generated an output token of size 13906 bytes, which was too large to fit in the token buffer of size 12000 bytes, provided by process id 4.
The application needs to be fixed to supply a token buffer of size at least 65535 bytes.
Although it works but the warning makes me feel very uncomfortable. So I removed the token size modification and reduced the number of group membership for my account. After doing so, it works like a charm. No warning of oversized token and accessing to the share is working.
The cause to this issue – Windows 7 plus an account with oversized token!
1 comment:
nice, thanks for sharing your issue and the road to the solution
Post a Comment