Uncategorized

Token Bloat

Here is a short story about Token Bloat and what we did to resolve it (Hint: it had nothing to do with Tums)

The scenario:

 It’s 4:30pm on what was a relatively calm afternoon and the phone rings. It’s the CFO and she cannot access her email, shared drives or her personal files and of course it’s the night that a whole bunch of financial year end reports are due.

The problem:

The problem only occurs when she logs into her Citrix Xen Desktop VDI. If she logs into a domain joined notebook or a XenApp 4.5 Shared Desktop then she is able to get into her email, shared drives and her personal files.

On the surface it looks like a Xen Desktop problem. However, the same Desktop is shared by 300+ other users and none of them are experiencing these issues.

We saw events similar to this in the event log:

screenshot1

5327_clip_image006_08171E4A

When the CFO logs into the XenDesktop VDI she receives a couple of errors in the eventlog similar to the ones above. Her token size was 12,400 bytes. which it 400 bytes bigger than the default Windows Token size.

A quick google search brings up Shane Cothran’s post on the Technet forums:

http://blogs.technet.com/b/shanecothran/archive/2010/07/16/maxtokensize-and-kerberos-token-bloat.aspx

 

Solution

We attempted to create a Group Policy Object and apply it to the VDI Organizational Unit in Active Directory. However, due to the static nature of the VDI image this had a difficult time applying. If you are looking a set of instructions on how to apply this to a group of servers or desktops. Here is the KB article http://support.microsoft.com/kb/938118/EN-US

The change that had to be made in our case was to create registry entry on the Static Xen Desktop image.

We followed Shane’s instructions on the Registry Entry that needs to be created. The instructions are below.

To use this parameter:

  1. Start Registry Editor (Regedt32.exe).
  1. Locate and click the following key in the registry:
    SystemCurrentControlSetControlLsaKerberosParameters
  1. If this key is not present, create the key. To do so:
    1. Click the following key in the registry:
      SystemCurrentControlSetControlLsaKerberos
    2. On the Edit menu, click Add Key.
    3. Create a Parameters key.
    4. Click the new Parameters key.
  1. On the Edit menu, click Add Value, and then add the following registry value:
    Value name: MaxTokenSize
    Data type: REG_DWORD
    Radix: Decimal
    Value data: 65636
  2. Quit Registry Editor.
  3. Reboot

Once these changes are applied to the image. The user will be able to access the network resources again.

Conclusion

We discovered after some investigation that someone had added the CFO’s Active Directory User account to 46 additional groups causing the issue in the VDI environment.