Re: Unable to connect if member of many groups

Hi Rick,

Thanks for your reply. No I do not see error 17832, only "Cannot generate
SSPI context".

I have tried to increase the MaxTokenSize (to ffff) on all servers and a
client, and it raises the limit from 119 groups to at least 512 groups which
is enough for my setup. I will try to find the optimal value.

Can you tell anything about what type of "operations" that will be affected
(in performance) by this increased value? Is it a serious drop in
performance, or just a "minor" drop?

Thanks
Jan Ahlbeck, MCP

"Rick Byham, (MSFT)" wrote:

Do you also receive error 17832. I just posted this early in the week:
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=SQL%20Server&ProdVer=10.0&EvtID=17832&EvtSrc=MSSQLServer&LCID=1033
(I know the links in that topic aren't formatting correctly. Working on
that.)
--
Rick Byham (MSFT)
This posting is provided "AS IS" with no warranties, and confers no rights.

"JanAhlbeck" <JanAhlbeck@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:B38AB210-D5C3-438B-BBDA-93AC40106CB8@xxxxxxxxxxxxxxxx
Hi,

I have the following setup:

1 Windows 2000 Server as Domain Controller (sp3)
2 Windows 2003 Server x64 (sp2) with 2005 x64 SQL Server Enterprise (sp2)
100+ Windows 2000 and XP clients

I have a setup where Acitive Domain users are member of many groups.
Clients
can connect to the SQL Server without any problems, as long as the user is
not member of more than AD 268 groups!! If user is member of more than 268
groups, the user cannot connect to the SQL Server
([DBNETLIB][ConnectionRead(recv()).] General network error.....). If
member
of more than 269 groups I get the "Cannot generate SSPI context" error.

If I enable trusted account delegation for the account that runs the sql
server service on both sql servers, it reduces the number of groups from
268
to 119 groups!

I would expect that this limit would be the same as the Access Token
Limitation which is 1024, see:
http://www.microsoft.com/downloads/details.aspx?FamilyID=22DD9251-0781-42E6-9346-89D577A3E74A&displaylang=en

Why this limit? Any explanation to this issue? Is it possible to raise the
limit? Fixes?

Thanks
Jan Ahlbeck


.

Relevant Pages

  • Re: Keeping User From Deleting Table Records
    ... Hugo - Your comment about the user being a member of an admin group did the ... - I have created a new Windows user login in Security/Logins that is ... SQL Server to obtain default settings for the additional configuration ...
    (microsoft.public.sqlserver.security)
  • Re: cannot acees two databases as owner
    ... it does not matter you are a member of the ... the sysadmin fixed server role or if there is no any other Login which is ... group if it's a domain) and you can login to your SQL Server with, ...
    (microsoft.public.sqlserver.setup)
  • Re: SQL Login
    ... The sa login account is a member of that role as well. ... Dejan Sarka, SQL Server MVP ... > But how do we add the User X to the sysadmin / ...
    (microsoft.public.sqlserver.security)
  • RE: exec sp_help_job user account rights
    ... Execute permissions default to the public role in the msdb database. ... who can execute this procedure and is a member of the sysadmin fixed role can ... the SQL Server service is running. ... impersonation and sp_help_job is always executed under the security context ...
    (microsoft.public.sqlserver.security)
  • Re: System Administrator Implied Permissions
    ... member of the dbo group and you are automatically given ... Now, given this, why does SQL Server ... Much Thanks Dan. ...
    (microsoft.public.sqlserver.security)
Loading