Privilege Attribute Certificate Configuration
Applies To: Windows Server 2008
The Kerberos Privilege Attribute Certificate (PAC) contains all of the group memberships for the security principal requesting access to a resource. This certificate is transferred to the client by using the Key Distribution Center (KDC).
Events
Event ID | Source | Message |
---|---|---|
Microsoft-Windows-Security-Kerberos |
The kerberos SSPI package generated an output token of size %1 bytes, which was too large to fit in the token buffer of size %2 bytes, provided by process id %3. The output SSPI token being too large is probably the result of the user %4 being a member of a large number of groups. It is recommended to minimize the number of groups a user belongs to. If the problem can not be corrected by reduction of the group memberships of this user, please contact your system administrator to increase the maximum token size, which in term is configured machine-wide via the following registry value: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\MaxTokenSize. |
|
Microsoft-Windows-Security-Kerberos |
The digitally signed Privilege Attribute Certificate (PAC) that contains the authorization information for client %1 in realm %2 could not be validated. This error is usually caused by domain trust failures; please contact your system administrator. |
|
Microsoft-Windows-Security-Kerberos |
The kerberos SSPI package generated an output token of size %1 bytes, which was too large to fit in the token buffer of size %2 bytes, provided by process id %3. The application needs to be fixed to supply a token buffer of size at least %4 bytes. |
|
Microsoft-Windows-Kerberos-Key-Distribution-Center |
During TGS processing, the KDC was unable to verify the signature on the PAC from %1. This indicates the PAC was modified. |