|
Tokensz |
Tool for discovering MaxTokenSize
This tool will compute the maximum token size and is used to test whether a system may exhibit the issue described in KB article 327825.
Files
|
Status: DeletedThis download is no longer available on microsoft.com. The downloads below are archives provided by the Internet Archive Wayback Machine from the Microsoft Download Center prior to January 2016. |
No files found
A file listing was not found in the Wayback Machine archives.
System Requirements
Operating Systems: Windows Server 2003
Windows Server 2003
Installation Instructions
Examples of Kerberos Token Size in Use
Example 1: Incomplete context
To determine the maximum Kerberos token size using incomplete context:
• Type the following at the command line:
tokensz /compute_tokensize /package:negotiate /use_delegation /target_server:host/server1
• When you press ENTER, the following output is displayed:
Name: Negotiate Comment: Microsoft Package Negotiator
Current PackageInfo->MaxToken: 12128
MaxTokenSize (incomplete context): 2181
In this example:
MaxTokenSize (incomplete context) indicates that the protocol could not perform all legs of authentication. In this case, (incomplete context) was returned because the server was specified as server 1, but the test was run under the user account. However, this is still a reasonable estimation of the maximum token size required for this user to authenticate to server 1.
Example 2: Administrator account to server host with delegation requested
To determine the maximum Kerberos token size for administrator to the host server 1:
• Type the following at the command line:
tokensz /compute_tokensize /package:negotiate /target_server:host/server1 /
user:administrator /password:ClientPassword /domain:UserDomain /use_delegation
• When you press ENTER, the following output is displayed:
Name: Negotiate Comment: Microsoft Package Negotiator
Current PackageInfo->MaxToken: 12128
Asked for delegate, but didn't get it
Check if server is trusted for delegation.
QueryKeyInfo:
Signature algorithm =
Encrypt algorithm = RSADSI RC4-HMAC
KeySize = 128
Flags = 2081e
Signature Algorithm = -138
Encrypt Algorithm = 23
Start:4/2/2003 5:54:19
Expiry:4/2/2003 6:54:19
Current Time: 4/2/2003 5:54:19
MaxToken (complete context) 1375
In this example:
• Asked for delegate, but didn’t get it indicates that delegation was not used. This happens if the target server is not trusted for delegation, or if the user account has the Account is sensitive and cannot be delegated option selected.
• MaxToken (complete context) indicates that all authentication legs have been completed, and that this is a reliable value for maximum token size for server 1.
Example 3: Using /calc_groups
To calculate group membership for user 1:
• Type the following at the command line:
tokensz /calc_groups user1
When you press ENTER, the tool returns a list of Kerberos token contents. In this example, the following output is displayed:
Username = user1
TS Session ID: 0
User
S-1-5-21-148402017-3776891892-3157626230-1945
Groups:
00 S-1-5-21-148402017-3776891892-3157626230-513 Attributes - Mandatory Default Enabled
01 S-1-1-0 Attributes - Mandatory Default Enabled
02 S-1-5-32-545 Attributes - Mandatory Default Enabled
03 S-1-5-32-554 Attributes - Mandatory Default Enabled
04 S-1-5-2 Attributes - Mandatory Default Enabled
05 S-1-5-11 Attributes - Mandatory Default Enabled
06 S-1-5-15 Attributes - Mandatory Default Enabled
07 S-1-5-5-0-17077419 Attributes - Mandatory Default Enabled LogonId
Primary Group:
S-1-5-21-148402017-3776891892-3157626230-513
Privs
00 0x000000017 SeChangeNotifyPrivilege Attributes - Enabled Default
01 0x000000006 SeUnsolicitedInputPrivilege Attributes - Enabled Default
Auth ID 0:10494b4
Impersonation Level: Identification
TokenType Impersonation