Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-9002: Windows 2012 SID Compression

Centrify DirectControl ,  

4 August,17 at 10:33 PM

Applies to: All supported versions of DirectControl

Question:
Is Windows 2012 SID compression supported by Centrify DirectControl. 

Answer:
SID compression is supported as of DirectControl 5.2.1 (Suite 2014.1) . 

Windows 2012 has new Kerberos feature - "SID compression". This is a relief for the problem of PAC overflow for users belonging to a large number of groups. A new attribute "ResourceGroupIds" is introduced to contain the new ways for principal SIDs (just the RID). 


Note: Resource SID compression is on by default on Windows 2012 and higher; however, you can disable it.  

To disable resource SID compression on a Windows Server 2012 KDC using the "DisableResourceGroupsFields" registry value under the HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kdc\Parameters
registry key.  This registry value has a DWORD registry value type.  You completely disable resource SID compression when you set the registry value to 1.  The KDC reads this configuration when building a service ticket.  With the bit enabled, the KDC does not use resource SID compression when building the service ticket. 

This disables resource SID compression on an individual Windows Server 2012 domain controller (KDC).  You must apply this setting to each Windows Server 2012 domain controller to ensure the domain controllers do not issue tickets that use resource group SID compression

Please note if Centrify Enabled Samba is also installed, refer to the following knowledge base article:
KB-5176: SID compression requires Samba 4 to support

http://support.microsoft.com/kb/2774190
http://social.technet.microsoft.com/wiki/contents/articles/20886.kdc-resource-sid-compression.aspx
http://social.technet.microsoft.com/Forums/windowsserver/en-US/60127b96-fa15-4b93-a8ad-f148c38947c2/kdc-sid-compression-problem-with-dc-on-server-2012-r2-2008-r2-forestdomain-level?forum=winserverDS
http://blogs.technet.com/b/askds/archive/2012/09/12/maxtokensize-and-windows-8-and-windows-server-2012.aspx

Centrify Corporation does not take any responsibility for the content or availability of this link and it was provided as a courtesy.  Customers should contact the vendor if there are any further questions

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.