Salesforce

KB-9002: Windows 2012 SID Compression

Printable View
« Go Back

Information

 
TitleKB-9002: Windows 2012 SID Compression
URL NameKB-9002-Windows-2012-SID-Compression
Knowledge Article TypeQuestion & Answer
Article TypeKnowledge
ArticleType 
ProductAuthentication Service
ComponentUNIX/Linux Agent
Version 
TagsWindows, 2012, SID, Compression
Internal Comments
Article Edits
Bug #60866, 74924
Solution ID
Knowledge Base Article Details
Question:

Is Windows 2012 SID compression supported by Centrify DirectControl. 




Answer:

SID compression is supported as of DirectControl 5.2.1 (Suite 2014.1) . 

Windows 2012 has new Kerberos feature - "SID compression". This is a relief for the problem of PAC overflow for users belonging to a large number of groups. A new attribute "ResourceGroupIds" is introduced to contain the new ways for principal SIDs (just the RID). 


Note: Resource SID compression is on by default on Windows 2012 and higher; however, you can disable it.  

To disable resource SID compression on a Windows Server 2012 KDC using the "DisableResourceGroupsFields" registry value under the HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kdc\Parameters
registry key.  This registry value has a DWORD registry value type.  You completely disable resource SID compression when you set the registry value to 1.  The KDC reads this configuration when building a service ticket.  With the bit enabled, the KDC does not use resource SID compression when building the service ticket. 

This disables resource SID compression on an individual Windows Server 2012 domain controller (KDC).  You must apply this setting to each Windows Server 2012 domain controller to ensure the domain controllers do not issue tickets that use resource group SID compression

Please note if Centrify Enabled Samba is also installed, refer to the following knowledge base article:
KB-5311: Will SID compression be available for Centrify-Enabled Samba

http://support.microsoft.com/kb/2774190
http://social.technet.microsoft.com/wiki/contents/articles/20886.kdc-resource-sid-compression.aspx
http://social.technet.microsoft.com/Forums/windowsserver/en-US/60127b96-fa15-4b93-a8ad-f148c38947c2/kdc-sid-compression-problem-with-dc-on-server-2012-r2-2008-r2-forestdomain-level?forum=winserverDS
http://blogs.technet.com/b/askds/archive/2012/09/12/maxtokensize-and-windows-8-and-windows-server-2012.aspx

Centrify Corporation does not take any responsibility for the content or availability of this link and it was provided as a courtesy.  Customers should contact the vendor if there are any further questions
Created BySteven Feltner
Solution CreatorSteven Feltner
DraftNot Checked
LithiumId
Lithium_Board_Id
Lithium_View_Href
Tags 
Category 
ArticleImage
Known IssuesNot Checked
Powered by