Servers

    Tokensz

    Language:
    English
    Tool for discovering MaxTokenSize
    • Version:

      1

      File Name:

      tokensz_package.exe

      Date Published:

      6/18/2004

      File Size:

      91 KB

        This tool will compute the maximum token size and is used to test whether a system may exhibit the issue described in KB article 327825.
    • Supported Operating System

      Windows Server 2003

        Windows Server 2003
      • Examples of Kerberos Token Size in Use
        Example 1: Incomplete context
        To determine the maximum Kerberos token size using incomplete context:

        • Type the following at the command line:

        tokensz /compute_tokensize /package:negotiate /use_delegation /target_server:host/server1

        • When you press ENTER, the following output is displayed:

        Name: Negotiate Comment: Microsoft Package Negotiator

        Current PackageInfo->MaxToken: 12128

        MaxTokenSize (incomplete context): 2181


        In this example:

        MaxTokenSize (incomplete context) indicates that the protocol could not perform all legs of authentication. In this case, (incomplete context) was returned because the server was specified as server 1, but the test was run under the user account. However, this is still a reasonable estimation of the maximum token size required for this user to authenticate to server 1.

        Example 2: Administrator account to server host with delegation requested
        To determine the maximum Kerberos token size for administrator to the host server 1:

        • Type the following at the command line:

        tokensz /compute_tokensize /package:negotiate /target_server:host/server1 /
        user:administrator /password:ClientPassword /domain:UserDomain /use_delegation

        • When you press ENTER, the following output is displayed:

        Name: Negotiate Comment: Microsoft Package Negotiator

        Current PackageInfo->MaxToken: 12128

        Asked for delegate, but didn't get it

        Check if server is trusted for delegation.

        QueryKeyInfo:

        Signature algorithm =

        Encrypt algorithm = RSADSI RC4-HMAC

        KeySize = 128

        Flags = 2081e

        Signature Algorithm = -138

        Encrypt Algorithm = 23

        Start:4/2/2003 5:54:19

        Expiry:4/2/2003 6:54:19

        Current Time: 4/2/2003 5:54:19

        MaxToken (complete context) 1375


        In this example:

        • Asked for delegate, but didn’t get it indicates that delegation was not used. This happens if the target server is not trusted for delegation, or if the user account has the Account is sensitive and cannot be delegated option selected.

        • MaxToken (complete context) indicates that all authentication legs have been completed, and that this is a reliable value for maximum token size for server 1.


        Example 3: Using /calc_groups
        To calculate group membership for user 1:

        • Type the following at the command line:

        tokensz /calc_groups user1


        When you press ENTER, the tool returns a list of Kerberos token contents. In this example, the following output is displayed:

        Username = user1

        TS Session ID: 0

        User

        S-1-5-21-148402017-3776891892-3157626230-1945

        Groups:

        00 S-1-5-21-148402017-3776891892-3157626230-513 Attributes - Mandatory Default Enabled

        01 S-1-1-0 Attributes - Mandatory Default Enabled

        02 S-1-5-32-545 Attributes - Mandatory Default Enabled

        03 S-1-5-32-554 Attributes - Mandatory Default Enabled

        04 S-1-5-2 Attributes - Mandatory Default Enabled

        05 S-1-5-11 Attributes - Mandatory Default Enabled

        06 S-1-5-15 Attributes - Mandatory Default Enabled

        07 S-1-5-5-0-17077419 Attributes - Mandatory Default Enabled LogonId

        Primary Group:

        S-1-5-21-148402017-3776891892-3157626230-513

        Privs

        00 0x000000017 SeChangeNotifyPrivilege Attributes - Enabled Default

        01 0x000000006 SeUnsolicitedInputPrivilege Attributes - Enabled Default

        Auth ID 0:10494b4

        Impersonation Level: Identification

        TokenType Impersonation

    Popular downloads

    Loading your results, please wait...

    Free PC updates

    • Security patches
    • Software updates
    • Service packs
    • Hardware drivers

    Microsoft suggests

    Download a free trial of Windows Server 2012 R2.
    Windows Server 2012 R2 free trial
    Experience the new and enhanced capabilities.
    Free trial