Friday, October 24, 2008

Token Bloat

A colleague called having issues administering his domain.

DCDiag reported
DsBindWithSpnEx() failed with error 14,
Not enough storage is available to complete this operation..
Warning: is the Schema Owner, but is not responding to DS RPC Bind.
Warning: is the Domain Owner, but is not responding to DS RPC Bind.
Warning: is the PDC Owner, but is not responding to DS RPC Bind.
Warning: is the Rid Owner, but is not responding to DS RPC Bind.
Warning: is the Infrastructure Update Owner, but is not responding to DS RPC Bind.


Additionally, the following kereros errors were being reported.

Event Type: Warning
Event Source: Kerberos
Event ID: 6
Description:
The kerberos SSPI package generated an output token of size 6F43 bytes, which was too large to fit in the 6F42 buffer provided by process id 0. If the condition persists, please contact your system administrator.

The following questions were asked :
1. Do your colleagues who are "Domain Admins" also see these errors?
2. Using your account can you run "whoami /groups" and send the results.

It looks like we are experiencing Kerberos issues resulting from issues with token size, like those discussed in http://support.microsoft.com/kb/935744

The first thing to do is :
1. Determine if it is just your account with the problem.
2. Has your group membership changed recently? Have you accidentally become a member of a large number of groups due to nesting - this occasionally happens.
3. If your account is a member of a large number of groups and these are all needed, we'll have to look at setting MaxTokenSize.

The result of this being that they remember that some recent group changes had taken place. These were reviewed and modified. After doing so, all was well with the world.