KDC Resource SID Compression
KDC Resource SID Compression is a feature that was introduced on Windows Server 2012 Domain Controllers.
Its purpose is to minimize the risk of having Kerberos authentication failures on applications when a user belongs to many groups.
Why a user may face Kerberos authentication failures when he belongs to many groups?
Kerberos uses a buffer to store authorization information. This buffer has a maximum size that is used by protocols like RPC and HTTP to allocate memory for authentication. If this size was exceeded then the authentication will fail using these protocols.
On Windows systems, the maximum size of this buffer is stored in MaxTokenSize registry entry and has the following default values.
MaxTokenSize
| Operating System | MaxTokenSize (bytes) |
| Windows 2000 (Original release version) | 8000 |
| Windows 2000 Service Pack 2 | 12000 |
| Windows Server 2003 | 12000 |
| Windows Server 2003 R2 | 12000 |
| Windows Server 2008 | 12000 |
| Windows Server 2008 R2 | 12000 |
| Windows Server 2012 | 48000 |
More info
Problems with Kerberos authentication when a user belongs to many groups: http://support.microsoft.com/kb/327825/en-us .
What is KDC Resource SID Compression?
KDC (Key Distribution Center) builds service tickets to be used by clients for authentication and establishing a service session with servers. The service tickets contain resource SIDs that Resource SID Compression feature allows their compression to have an optimized size for the tickets.
In fact, KDC behaves like the following:
| KDC Resource SID Compression Enabled | KDC Resource SID Compression Disabled | |
| How resource SIDs are stored | The KDC stores the resource domain SID and will insert only the RID portion of SIDs added by the resource domain. | The KDC stores all SIDs added by the resource domain |
| Used field | ResourceGroupIds | Extra-SID |
More info
Management of SIDs in Active Directory: http://social.technet.microsoft.com/wiki/contents/articles/20590.management-of-sids-in-active-directory.aspx
By following this approach, the size of the buffer used to store authorization information will significantly decrease and the risk of exceeding its maximum size becomes lower.
What are the known issues for KDC Resource SID Compression feature?
Microsoft already identified that KDC Resource SID Compression feature may cause authentication problems on NAS devices.
Systems that do not understand how this compression work may face the same problems.
More info
Resource SID Compression in Windows Server 2012 may cause authentication problems on NAS devices: http://support.microsoft.com/kb/2774190/en-us
Is it possible to disable KDC Resource SID Compression feature on Domain Controllers?
By default, KDC Resource SID Compression feature is enabled on new Windows Server 2012 Domain Controllers.
This can be disabled by updating the DisableResourceGroupsFields registry value to be equal to 1 (under HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kdc\Parameters registry key).
See also
Other Languages
This article is available in other languages.
- Compression du KDC Resource SID (fr-FR)