Legacy Update: Get back online, activate, and install updates on your legacy Windows PC

This tool will compute the maximum token size and is used to test whether a system may exhibit the issue described in KB article 327825.

Files

Status: Deleted This download is no longer available on microsoft.com. The downloads below are archives provided by the Internet Archive Wayback Machine from the Microsoft Download Center prior to January 2016.

No files found

File sizes and hashes are retrieved from the Wayback Machine’s indexes. They may not match the latest versions of files hosted on Microsoft servers.

Windows Server 2003

Examples of Kerberos Token Size in Use
Example 1: Incomplete context
To determine the maximum Kerberos token size using incomplete context:

• Type the following at the command line:

tokensz /compute_tokensize /package:negotiate /use_delegation /target_server:host/server1

• When you press ENTER, the following output is displayed:

Name: Negotiate Comment: Microsoft Package Negotiator

Current PackageInfo->MaxToken: 12128

MaxTokenSize (incomplete context): 2181


In this example:

MaxTokenSize (incomplete context) indicates that the protocol could not perform all legs of authentication. In this case, (incomplete context) was returned because the server was specified as server 1, but the test was run under the user account. However, this is still a reasonable estimation of the maximum token size required for this user to authenticate to server 1.

Example 2: Administrator account to server host with delegation requested
To determine the maximum Kerberos token size for administrator to the host server 1:

• Type the following at the command line:

tokensz /compute_tokensize /package:negotiate /target_server:host/server1 /
user:administrator /password:ClientPassword /domain:UserDomain /use_delegation

• When you press ENTER, the following output is displayed:

Name: Negotiate Comment: Microsoft Package Negotiator

Current PackageInfo->MaxToken: 12128

Asked for delegate, but didn't get it

Check if server is trusted for delegation.

QueryKeyInfo:

Signature algorithm =

Encrypt algorithm = RSADSI RC4-HMAC

KeySize = 128

Flags = 2081e

Signature Algorithm = -138

Encrypt Algorithm = 23

Start:4/2/2003 5:54:19

Expiry:4/2/2003 6:54:19

Current Time: 4/2/2003 5:54:19

MaxToken (complete context) 1375


In this example:

• Asked for delegate, but didn’t get it indicates that delegation was not used. This happens if the target server is not trusted for delegation, or if the user account has the Account is sensitive and cannot be delegated option selected.

• MaxToken (complete context) indicates that all authentication legs have been completed, and that this is a reliable value for maximum token size for server 1.


Example 3: Using /calc_groups
To calculate group membership for user 1:

• Type the following at the command line:

tokensz /calc_groups user1


When you press ENTER, the tool returns a list of Kerberos token contents. In this example, the following output is displayed:

Username = user1

TS Session ID: 0

User

S-1-5-21-148402017-3776891892-3157626230-1945

Groups:

00 S-1-5-21-148402017-3776891892-3157626230-513 Attributes - Mandatory Default Enabled

01 S-1-1-0 Attributes - Mandatory Default Enabled

02 S-1-5-32-545 Attributes - Mandatory Default Enabled

03 S-1-5-32-554 Attributes - Mandatory Default Enabled

04 S-1-5-2 Attributes - Mandatory Default Enabled

05 S-1-5-11 Attributes - Mandatory Default Enabled

06 S-1-5-15 Attributes - Mandatory Default Enabled

07 S-1-5-5-0-17077419 Attributes - Mandatory Default Enabled LogonId

Primary Group:

S-1-5-21-148402017-3776891892-3157626230-513

Privs

00 0x000000017 SeChangeNotifyPrivilege Attributes - Enabled Default

01 0x000000006 SeUnsolicitedInputPrivilege Attributes - Enabled Default

Auth ID 0:10494b4

Impersonation Level: Identification

TokenType Impersonation