Microsoft

Tokensz

Share
Language:
English
Tool for discovering MaxTokenSize
  • Details

    Version:
    Date Published:

    1

    6/18/2004

    File name:
    File size:

    tokensz_package.exe

    91 KB

      This tool will compute the maximum token size and is used to test whether a system may exhibit the issue described in KB article 327825.
  • System Requirements

    Supported Operating System

    Windows Server 2003

      Windows Server 2003
  • Install Instructions

      Examples of Kerberos Token Size in Use
      Example 1: Incomplete context
      To determine the maximum Kerberos token size using incomplete context:

      • Type the following at the command line:

      tokensz /compute_tokensize /package:negotiate /use_delegation /target_server:host/server1

      • When you press ENTER, the following output is displayed:

      Name: Negotiate Comment: Microsoft Package Negotiator

      Current PackageInfo->MaxToken: 12128

      MaxTokenSize (incomplete context): 2181


      In this example:

      MaxTokenSize (incomplete context) indicates that the protocol could not perform all legs of authentication. In this case, (incomplete context) was returned because the server was specified as server 1, but the test was run under the user account. However, this is still a reasonable estimation of the maximum token size required for this user to authenticate to server 1.

      Example 2: Administrator account to server host with delegation requested
      To determine the maximum Kerberos token size for administrator to the host server 1:

      • Type the following at the command line:

      tokensz /compute_tokensize /package:negotiate /target_server:host/server1 /
      user:administrator /password:ClientPassword /domain:UserDomain /use_delegation

      • When you press ENTER, the following output is displayed:

      Name: Negotiate Comment: Microsoft Package Negotiator

      Current PackageInfo->MaxToken: 12128

      Asked for delegate, but didn't get it

      Check if server is trusted for delegation.

      QueryKeyInfo:

      Signature algorithm =

      Encrypt algorithm = RSADSI RC4-HMAC

      KeySize = 128

      Flags = 2081e

      Signature Algorithm = -138

      Encrypt Algorithm = 23

      Start:4/2/2003 5:54:19

      Expiry:4/2/2003 6:54:19

      Current Time: 4/2/2003 5:54:19

      MaxToken (complete context) 1375


      In this example:

      • Asked for delegate, but didn’t get it indicates that delegation was not used. This happens if the target server is not trusted for delegation, or if the user account has the Account is sensitive and cannot be delegated option selected.

      • MaxToken (complete context) indicates that all authentication legs have been completed, and that this is a reliable value for maximum token size for server 1.


      Example 3: Using /calc_groups
      To calculate group membership for user 1:

      • Type the following at the command line:

      tokensz /calc_groups user1


      When you press ENTER, the tool returns a list of Kerberos token contents. In this example, the following output is displayed:

      Username = user1

      TS Session ID: 0

      User

      S-1-5-21-148402017-3776891892-3157626230-1945

      Groups:

      00 S-1-5-21-148402017-3776891892-3157626230-513 Attributes - Mandatory Default Enabled

      01 S-1-1-0 Attributes - Mandatory Default Enabled

      02 S-1-5-32-545 Attributes - Mandatory Default Enabled

      03 S-1-5-32-554 Attributes - Mandatory Default Enabled

      04 S-1-5-2 Attributes - Mandatory Default Enabled

      05 S-1-5-11 Attributes - Mandatory Default Enabled

      06 S-1-5-15 Attributes - Mandatory Default Enabled

      07 S-1-5-5-0-17077419 Attributes - Mandatory Default Enabled LogonId

      Primary Group:

      S-1-5-21-148402017-3776891892-3157626230-513

      Privs

      00 0x000000017 SeChangeNotifyPrivilege Attributes - Enabled Default

      01 0x000000006 SeUnsolicitedInputPrivilege Attributes - Enabled Default

      Auth ID 0:10494b4

      Impersonation Level: Identification

      TokenType Impersonation

Popular downloads

Free PC updates

  • Security patches
  • Software updates
  • Service packs
  • Hardware drivers
Run Microsoft Update
close
moreinfo