Remote Enterprise Console "Not a member of sub-estates" when accessing from Trusted Child Domain

  • Article ID: 116943
  • Updated: 12 May 2014

Issue

When attempting to connect a remote enterprise console from a trusted ( 2way ) child sub domain you have an increase in token size because of the additional active directory information, causing problems when authenticating across domains.

The SEC remote console for example would fail to open throwing the following error:

Error in the Client Console Fatal Log:

Console Fatal:
No sub-estates are assigned to this user
----- [outer exception] -----
-- error: 0x829E002C
-- facility: Sophos Management Service Exception

First seen in

Enterprise Console 4.5.0

Cause

The problem occurs because the workstation’s Kerberos token size exceeds 12,000 bytes. A parameter set to expand the size of the kerberos token resolves this issue.

What To Do

To use this parameter:

  1. Start Registry Editor (Start | Run | Type: regedit.exe | Press return).
  2. Locate and click the following key in the registry:
    System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
    If this key is not present, create the key. To do so:
    1. Click the following key in the registry:
      System\CurrentControlSet\Control\Lsa\Kerberos
    2. On the Edit menu, click Add Key.
    3. Create a Parameters key.
    4. Click the new Parameters key.
  3. On the Edit menu, click Add Value, and then add the following registry value:
    Value name: MaxTokenSize
    Data type: REG_DWORD
    Radix: Decimal
    Value data: 65535 ( **SEE BELOW** )
  4. Quit Registry Editor.

How to calculate token size

Following formula to determine whether it is necessary to modify the MaxTokenSize value or not

  • TokenSize = [12 X number of user rights] + [token overhead] + [40 X number of group memberships] + 8s

This formula uses the following values:

  • d:  The number of domain logical groups a user is a member of plus the number of universal groups outside the user’s account domain plus the number of groups represented in SID history.
  • s:  The number of security global groups that a user is a member of plus the number of universal groups in a user’s account domain.
  • User rights include rights such as “Log on locally” or “Access this Computer from the network”. The only user rights that are added to an access token are those user rights that are configured on the server that hosts a secured resource.  Most of the users are likely to have only two or three user rights on the Exchange server. Administrators may have dozens of user rights. Each user right requires 12 bytes to store it in the token.
  • Token overhead includes multiple fields such as the token source, expiration time, and impersonation information. For example, a typical domain user has no special access or restrictions; token overhead is likely to be between 400 and 500 bytes.
  • Estimated value for ticket overhead can vary depending on factors such as DNS domain name length, client name and other factors.
  • Each group membership adds the group SID to the token together with an additional 16 bytes for associated attributes and information. The maximum possible size for SID is 68 bytes.  Therefore, each security group to which a user belongs typically adds 44 bytes to the user’s token size.

In scenarios in which delegation is used (for example, when users authentication to a domain controller), Microsoft recommends to double the token size.

Default token size is 12000.

Reference

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments