Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Internet Explorer Kerberos authentication does not work because of an insufficient buffer connecting to IIS


View products that this article applies to.

This article was previously published under Q269643
Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 (http://support.microsoft.com/kb/256986/ ) Description of the Microsoft Windows Registry

↑ Back to the top


Symptoms

When you try to connect to a Microsoft Internet Information Server (IIS) computer that is configured to use Microsoft Windows 2000 authentication, you receive an Enter Network Password dialog box. When you try to log on, you may be prompted to provide your network credentials again, and after you do so, you may receive the following error message:
You are not authorized to view this page

You do not have permission to view this directory or page using the credentials you supplied.

↑ Back to the top


Cause

This problem can occur even though the credentials you provide are valid and can be utilized to obtain access to the same computer through the Microsoft Windows NT Server service by using the net use command. However, the Wininet.dll file may not allocate a sufficient buffer for containing the user's Kerberos token. For example, this can occur if the user is a member of more than 100 groups.

↑ Back to the top


Resolution

To resolve this problem, use the appropriate method for your version of Internet Explorer.

Internet Explorer 5.5

To resolve this problem with Internet Explorer 5.5, obtain and install Internet Explorer 5.5 Service Pack 2 or later.

For additional information about how to obtain the latest service pack for Internet Explorer 5.5, click the following article number to view the article in the Microsoft Knowledge Base:
276369� How to obtain the latest service pack for Internet Explorer 5.5

Internet Explorer 5.01

To resolve this problem with Internet Explorer 5.01, obtain and install either Internet Explorer 5.01 Service Pack 2 or later or Microsoft Windows 2000 Service Pack 2 or later.

For additional information about how to obtain the latest service pack for Windows 2000 or Internet Explorer 5.01, click the following article numbers to view the articles in the Microsoft Knowledge Base:
260910� How to obtain the latest Windows 2000 service pack
267954� How to obtain the latest Internet Explorer 5.01 service pack
For additional information about how to resolve this problem with Internet Explorer 5.01 Service Pack 1, click the following article number to view the article in the Microsoft Knowledge Base:
277741� Internet Explorer logon fails due to an insufficient buffer for Kerberos

↑ Back to the top


Workaround

To work around this problem, reduce the number of groups that the user is a member of.

↑ Back to the top


Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Internet Explorer version 5.01 Service Pack 2.

↑ Back to the top


More information

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
This hotfix allows a larger number of groups to be supported. To increase the maximum token size after you install the hotfix, use the following steps:
  1. Start Registry Editor (Regedt32.exe).
  2. Locate and then click the following key in the registry:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos
  3. On the Edit menu, click Add Key, and then add the following registry key:
    Key name: Parameters
  4. On the Edit menu, click Add Value, and then add the following registry value:
    Value name: MaxTokenSize Type: REG_DWORD
    Radix: Decimal
    Value: 65535
  5. Quit Registry Editor.
Note A token size of 65,535 supports approximately 900 groups that a user may be a member of. The SID information that is associated with each group may vary in size, and this can result in some variation in this value. For additional information about Kerberos Token Size configuration and support in Windows 2000, click the following article numbers to view the articles in the Microsoft Knowledge Base:
263693� Group Policy may not be applied to users belonging to many groups
297869� SMS administrator issues after you modify the Kerberos MaxTokenSize registry value
Note This problem involves an Internet Explorer Wininet buffering issue. In order to resolve this issue, the hotfix, Windows 2000 Service Pack 2 or Internet Explorer update must be applied and the registry parameter must be set on all client systems.

↑ Back to the top


Keywords: kbhotfixserver, kbbug, kbenv, kberrmsg, kbfix, kbie501presp2fix, kbqfe, kbqfe, KB269643

↑ Back to the top

Article Info
Article ID : 269643
Revision : 6
Created on : 2/19/2007
Published on : 2/19/2007
Exists online : False
Views : 503