Internet Explorer Kerberos authentication does not work because of an insufficient buffer connecting to IIS

When you try to connect to a Microsoft Internet Information Server (IIS) computer that is configured to use Microsoft Windows 2000 authentication, you receive an Enter Network Password dialog box. When you try to log on, you may be prompted to provide your network credentials again, and after you do so, you may receive the following error message:

This problem can occur even though the credentials you provide are valid and can be utilized to obtain access to the same computer through the Microsoft Windows NT Server service by using the net use command. However, the Wininet.dll file may not allocate a sufficient buffer for containing the user's Kerberos token. For example, this can occur if the user is a member of more than 100 groups.

To resolve this problem, use the appropriate method for your version of Internet Explorer.

Internet Explorer 5.5

To resolve this problem with Internet Explorer 5.5, obtain and install Internet Explorer 5.5 Service Pack 2 or later.

For additional information about how to obtain the latest service pack for Internet Explorer 5.5, click the following article number to view the article in the Microsoft Knowledge Base:

Internet Explorer 5.01

To resolve this problem with Internet Explorer 5.01, obtain and install either Internet Explorer 5.01 Service Pack 2 or later or Microsoft Windows 2000 Service Pack 2 or later.

For additional information about how to obtain the latest service pack for Windows 2000 or Internet Explorer 5.01, click the following article numbers to view the articles in the Microsoft Knowledge Base: For additional information about how to resolve this problem with Internet Explorer 5.01 Service Pack 1, click the following article number to view the article in the Microsoft Knowledge Base:

To work around this problem, reduce the number of groups that the user is a member of.

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Internet Explorer version 5.01 Service Pack 2.

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
This hotfix allows a larger number of groups to be supported. To increase the maximum token size after you install the hotfix, use the following steps:

1. Start Registry Editor (Regedt32.exe).
2. Locate and then click the following key in the registry:
   HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos
3. On the Edit menu, click Add Key, and then add the following registry key:
   Key name: Parameters
4. On the Edit menu, click Add Value, and then add the following registry value:
   Value name: MaxTokenSize Type: REG_DWORD
   Radix: Decimal
   Value: 65535
5. Quit Registry Editor.

Note A token size of 65,535 supports approximately 900 groups that a user may be a member of. The SID information that is associated with each group may vary in size, and this can result in some variation in this value. For additional information about Kerberos Token Size configuration and support in Windows 2000, click the following article numbers to view the articles in the Microsoft Knowledge Base: Note This problem involves an Internet Explorer Wininet buffering issue. In order to resolve this issue, the hotfix, Windows 2000 Service Pack 2 or Internet Explorer update must be applied and the registry parameter must be set on all client systems.