1. Home
  2. Server
  3. During a logon attempt, the user’s security context accumulated too many security IDs

During a logon attempt, the user’s security context accumulated too many security IDs

Symptoms

  • When you try to log on to a domain or connect to a network share on a server, you may receive the following error code 1384 error message:
    During a logon attempt, the user’s security context accumulated too many security IDs.

Cause

  • This behavior occurs because Windows systems contain a limit that prevents a user’s security access token from containing more than 1,000 security identifiers (SIDs). This means that when a user is being validated for access rights to establish a new session with a server, that user must not be a member of more than 1,000 groups in that server’s domain. If this limit is exceeded, access to the server is denied, and the error code 1384 is returned to the user.If the server that the user connects to is in a second domain (for example, if the user connects to a server in a Windows 2000 resource domain), the total number of groups the user is a member of is determined by adding the user’s group membership in that second domain to the user’s global group membership in their domain.

Resolution

  • Reduce/consolidate group membership
  • Clean up SID history
  • Limit the number of users that are configured to use “trusted for delegation”. The account that are configured to use “Trusted for delegation” the bugger requirements for each SID may double
  • Modify MaxTokenSize registry key
    • Start Registry Editor (Regedt32.exe)
    • Locate and click the following key in the registry:
      System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
    • If this key is not present, create the key. To do so:
      1. Click the following key in the registry:
        System\CurrentControlSet\Control\Lsa\Kerberos
      2. On the Edit menu, click Add Key.
      3. Create a Parameters key.
      4. Click the new Parameters key.
      5. On the Edit menu, click Add Value, and then add the following registry value:
        Value name: MaxTokenSize
        Data type: REG_DWORD
        Radix: Decimal
        Value data: 48000
      6. Quit Registry Editor.
        1. Start Registry Editor (Regedt32.exe).
        1. Locate and click the following key in the registry:
          System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
        1. If this key is not present, create the key. To do so:
          1. Click the following key in the registry:
            System\CurrentControlSet\Control\Lsa\Kerberos
          2. On the Edit menu, click Add Key.
          3. Create a Parameters key.
          4. Click the new Parameters key.
        1. On the Edit menu, click Add Value, and then add the following registry value:
          Value name: MaxTokenSize
          Data type: REG_DWORD
          Radix: Decimal
          Value data: 48000
        2. Quit Registry Editor.

Tip: However keep in mind there is a hard limit of 1,015 groups a user can be a member of. If a user tries to log into a computer by using a local or domain account and they are a member of more than 1,015 groups they will get this Logon Message: The system cannot log you on due to the following error: During a logon attempt, the user’s security context accumulated too many security IDs. Please try again or consult your system administrator.

You can compile a report of your users Kerberos Token size by running this script

 

Updated on July 26, 2017

Was this article helpful?

Related Articles

Leave a Comment