Privilege Attribute Certificate Configuration

Applies To: Windows Server 2008

The Kerberos Privilege Attribute Certificate (PAC) contains all of the group memberships for the security principal requesting access to a resource. This certificate is transferred to the client by using the Key Distribution Center (KDC).

Events

Event ID Source Message

6

Microsoft-Windows-Security-Kerberos

The kerberos SSPI package generated an output token of size %1 bytes, which was too large to fit in the token buffer of size %2 bytes, provided by process id %3.

The output SSPI token being too large is probably the result of the user %4 being a member of a large number of groups.

It is recommended to minimize the number of groups a user belongs to. If the problem can not be corrected by reduction of the group memberships of this user, please contact your system administrator to increase the maximum token size, which in term is configured machine-wide via the following registry value: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\MaxTokenSize.

7

Microsoft-Windows-Security-Kerberos

The digitally signed Privilege Attribute Certificate (PAC) that contains the authorization information for client %1 in realm %2 could not be validated.

This error is usually caused by domain trust failures; please contact your system administrator.

15

Microsoft-Windows-Security-Kerberos

The kerberos SSPI package generated an output token of size %1 bytes, which was too large to fit in the token buffer of size %2 bytes, provided by process id %3.

The application needs to be fixed to supply a token buffer of size at least %4 bytes.

18

Microsoft-Windows-Kerberos-Key-Distribution-Center

During TGS processing, the KDC was unable to verify the signature on the PAC from %1. This indicates the PAC was modified.

Kerberos Key Distribution Center

Core Security