Security Token Sizes and Kerberos Authentication

  • 1.6K Views
  • Last Post 03 January 2017
miallen posted this 23 August 2007

Hi List,

I'm wondering what policies people have regarding the number of
security groups and thus security token sizes. Do large sites
proactively try to reduce and refactor security groups to minimize the
impact of large kerberos tokens on authentication performance and
network efficiency?

I have an Apache based Kerberos authentication product that will fail
if the Negotiate header submitted by the client exceeds Apache's
DEFAULTLIMITREQUEST_FIELDSIZE of 8192. With Apache 2.0.53+ it can be
increased with a LimitRequestFieldSize 16382 conf directive but the
issue still concerns me and I want to know if it is appropriate to ask
customers to try to reduce the number security groups they use.

Also, I know there is a MS tool to compute the size of a user's
security token but I don't recall the name of it. It's like 'toksize'
or something like that. Does someone recall the name of it and/or have
a pointer?

Thanks,
Mike

show

Order By: Standard | Newest | Votes
tvanderkooi posted this 03 January 2017

We have a very similar setup and we see the service account being logged when it is the cause of the internet request (Windows Updates, Service Desk check-ins,

etc.) while the user account is logged for web browsing. Are you seeing something different?

TV

 

show

a-ko posted this 03 January 2017

Are you sure you’re just not seeing everything?

 

As Jeff K mentioned, if it’s an internet-based discovery agent (like Service Now), and Service Now is operating as a domain-based service account, it will have

a Kerberos Ticket issued to itself as a user.

 

And if it’s trying to connect out to the internet to report information, it very well could use the agent’s service account ticket to initiate that connection.

 

It’s also then possible that the proxy is caching this information for the client from there on out for authentication for that device and just associating all

connections from that device as associated with that user. This would be bad behavior, but I could see it doing this in the interest of speed of the connection (caching authentication requests to limit the number of times it has to re-authenticate).

 

So in short? Probably.

 

To get around this, I would just enable bypass authentication for remote URLs for the agent inventory system. In theory, this should mean the first time a user

authenticates it should be when the user initiates the authentication (via the web browser), rather than the service trying to report inventory.

 

-Mike Cramer

 

show

MThommes posted this 24 August 2007

Hi All,
While we are on the subject, can someone give me the tokensz.exe
syntax to compute a "fully fleshed out" (ie, "complete context") token
size for a user? I've tried some combinations of arguments, but I don't
like the numbers I see. Since I can see group membership of a user with
my regular user account (eg, via adfind), will I see a different token
size running tokensz with my regular user account vs. my admin account?
I really don't care about seeing the group names or SIDs of the groups -
just the token size. TIA!

Mike Thommes

show

miallen posted this 23 August 2007

On 8/23/07, Al Mulnick wrote:
> I believe tokensz is the tool you're looking for.
> http://go.microsoft.com/fwlink/?LinkId=25830
>
> I think it's reasonable to reduce the size of your tokens on a regular
> basis. I'm going through that now as a matter of fact. Working with a
> group to reduce the number of groups that a user is directly a member
> of due to tokenbloat issues.

Thanks. Your link didn't work for me but searching ms.com for tokensz
worked fine.

Mike

> On 8/23/07, Michael B Allen wrote:
> > Hi List,
> >
> > I'm wondering what policies people have regarding the number of
> > security groups and thus security token sizes. Do large sites
> > proactively try to reduce and refactor security groups to minimize the
> > impact of large kerberos tokens on authentication performance and
> > network efficiency?
> >
> > I have an Apache based Kerberos authentication product that will fail
> > if the Negotiate header submitted by the client exceeds Apache's
> > DEFAULTLIMITREQUEST_FIELDSIZE of 8192. With Apache 2.0.53+ it can be
> > increased with a LimitRequestFieldSize 16382 conf directive but the
> > issue still concerns me and I want to know if it is appropriate to ask
> > customers to try to reduce the number security groups they use.
> >
> > Also, I know there is a MS tool to compute the size of a user's
> > security token but I don't recall the name of it. It's like 'toksize'
> > or something like that. Does someone recall the name of it and/or have
> > a pointer?
> >
> > Thanks,
> > Mike
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

amulnick posted this 23 August 2007

I believe tokensz is the tool you're looking for.
http://go.microsoft.com/fwlink/?LinkId=25830

I think it's reasonable to reduce the size of your tokens on a regular
basis. I'm going through that now as a matter of fact. Working with a
group to reduce the number of groups that a user is directly a member
of due to tokenbloat issues.

show

ZJORZ posted this 23 August 2007

separate tool called tokensz

NTDSUTIL option "group membership evaluation" after installing hotfix or SP2



Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services

LogicaCMG Nederland B.V. (BU ISA Eindhoven)
( Tel : +31-(0)40-29.57.777
( Mobile : +31-(0)6-26.26.62.80
* E-mail :

show

Close