Users in multiple groups may result in token bloat

 Active Directory Security, Active Directory, Perumal
May 19 2014

Active Directory Token Bloat

What is Token Bloat?

Token Bloat is one of the major problems faced by IT administrators, which occurs when a single user is a member of too many groups in Active Directory. In a large organization there is an ocean of Active Directory resource like users, groups, computers etc. Each user is required to play a unique role in the organization, so it's the IT administrators' responsibility to assign sufficient permissions to the user to access the services and applications necessary to perform his/her task. At the same time IT administrators are required to maintain the security standards of their organization. As a result their job becomes more complex and granular in providing and denying specific permissions to each user. Moreover it is unavoidable to add a user as a member to multiple security groups to assign permissions. This results in stuffing of security groups or SID History items into a user token, which in turn increases the Kerberos Token Size above the default size of 20000 bytes.

What are the Symptoms for Token Bloat?

Based on the number of groups a single user is memberOf, the intensity of Token Bloat varies as follows,

According to this KB Article , for an user account who is a member of more than 100 groups,
"When you try to connect to a Microsoft Internet Information Server (IIS) computer that is configured to use Microsoft Windows 2000 authentication, you receive an Enter Network Password dialog box. When you try to log on, you may be prompted to provide your network credentials again, and after you do so, you may receive the following error message:
You are not authorized to view this page
You do not have permission to view this directory or page using the credentials you supplied."
According to this KB Article , for an user account who is a member of 1,015 groups,
"When a user tries to log on to a computer by using a local computer account or a domain user account, the logon request may fail with the following error message:
Logon Message: The system cannot log you on due to the following error: During a logon attempt, the user's security context accumulated too many security IDs. Please try again or consult your system administrator."

The screenshot given below is generated during logon of a user (member of 1200 groups) in the test lab,


Token bloat error during login process

What are the Causes for Token Bloat?

  • Users Migration from one domain to other including SID History to preserve access to resources for the user.
  • User added as member to many security groups and those groups are nested into other group memberships.

How to Prevent Token Bloat?

The only way to prevent token bloat is to reduce the number of group membership for users.

Dynamic Access Control

Dynamic Access Control considerably reduces the complexity of a combinatorial number of security groups, so that you can have a clear understanding of who can access what data and you are able to easily adjust access when people move between different roles in the company.

Reference- http://blogs.technet.com/b/filecab/archive/2012/05/29/getting-started-with-central-access-policies-reducing-security-group-complexity-and-achieving-data-access-compliance-using-dynamic-access-control.aspx

Effect of Nested-Group Model on Token Bloat

Nested AD groups does not solve the token bloat issue, instead it makes it worse. If you look at a user in Active Directory, and look at the "Member Of" tab, you'll only see the short list of transitive role-based groups. But you will not be able to see the intransitive groups that are nested as members of role-based groups. However, the user's Kerberos token will contain both, thus making token bloat much worse.

Kerberos token gets the SIDs for the groups the Active Directory users belongs to from the tokenGroups attribute. The screenshot given below is on test user - Ben's membership to the list of SIDs of groups from ADSIEDIT,

Token bloat- SID history

How to Fix Token Bloat?

By overriding the default value of "MaxTokenSize" registry entry, which is located under System\CurrentControlSet\Control\Lsa\Kerberos\Parameters, you can avoid the token bloat error during the login. The default value of this registry entry is 20000, but by starting Windows Server 2012, this value is set with 48000 bytes by default. This blog explains better about "MaxTokenSize" improvements in Windows Server 2012.