Policy
Warning for large Kerberos tickets
Microsoft Windows
Policy overview
Key metadata and intent for this policy.
Supported OS tags: Windows10, Windows10RT, Windows11, Windows8, Windows81, WindowsRT, WindowsRT81, WindowsServer2012, WindowsServer2012R2, WindowsServer2016
This policy setting allows you to configure at what size Kerberos tickets will trigger the warning event issued during Kerberos authentication. The ticket size warnings are logged in the System log. If you enable this policy setting, you can set the threshold limit for Kerberos ticket which trigger the warning events. If set too high, then authentication failures might be occurring even though warning events are not being logged. If set too low, then there will be too many ticket warnings in the log to be useful for analysis. This value should be set to the same value as the Kerberos policy "Set maximum Kerberos SSPI context token buffer size" or the smallest MaxTokenSize used in your environment if you are not configuring using Group Policy. If you disable or do not configure this policy setting, the threshold value defaults to 12,000 bytes, which is the default Kerberos MaxTokenSize for Windows 7, Windows Server 2008 R2 and prior versions.
Registry values
How enabled and disabled states update the registry.
| Scope | Registry location | Type | Enabled value | Disabled value | Copy |
|---|---|---|---|---|---|
| Computer | Path Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters Value name EnableTicketSizeThreshold | REG_DWORD | HKLM 1 | HKLM 0 |
Policy elements
Inputs and configuration options exposed by this policy.
| Scope | Element | Type | Registry mapping | Constraints & behavior | Copy |
|---|---|---|---|---|---|
| Computer | Ticket Size Threshold ID TicketSizeThreshold | decimal | Path Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters Value name TicketSizeThreshold Type REG_DWORD | Range: 12000 to 2147483647 |