If you want to split hairs the largest token a user can have may only contain 1024 SIDs that is if they want to logon. This is a hard coded limitation and we actually publish 1015 since there are built-in groups that get added to every user token. This is documented here: http://support.microsoft.com/default.aspx?scid=kb;en-us;328889. That being said that does not mean that the authorization protocols or applications leveraging those protocols can/will work with tokens that large. For example IIS has limits on the amount of data that is exchange in a get request etc... So even though the underlying OS can build a token with 1024 SIDs in it does not mean everything is going to work. This limit of 1024 SIDs has been in the product for sometime, at least since NT 4.0 and likely earlier. What has changed over time is the way the different authentication providers and applications handle this as referenced in the various Emails below.
Thanks, -Steve -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Friday, August 19, 2005 12:43 PM To: [email protected] Subject: RE: [ActiveDir] User SIDs... Having read through most of the replies on this, it's interesting that there was an internal (to Microsoft - just to clarify) discussion on this same topic yesterday. Seems that a customer was having problems with a function calling APIs for SID creation when the SID exceeded 68 bytes. I'll let you determine from that statement what the largest supported SID is. :o) So, take that number into 12000 and I suspect that will give you a clear idea of how memberships would begin to cause issues with Kerberos. However, as al mentions, this can be increased but I don't know what the max supported size is. And, as to figuring out the actual size of a SID, yes there is. I don't have the algorithm at my finger tips, but it can be derived pretty easily - more easily with C/C++, or Perl, IIRC. Rick -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Friday, August 19, 2005 7:29 AM To: [email protected] Subject: [ActiveDir] User SIDs... Hello All, Does anyone know the default length a users SID (Win2K DC's, WinXP SP2clients ) can be before problems such as http://support.microsoft.com/?kbid=327825 <http://support.microsoft.com/?kbid=327825> start occuring ? Also, there anyway to determine the actual length of a users SID??? TIA, Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
