Policy

Set maximum Kerberos SSPI context token buffer size

Microsoft Windows

Back to KerberosBack to main
Set maximum Kerberos SSPI context token buffer size
Jump to overview

Policy overview

Key metadata and intent for this policy.

Computer
Category
System > Kerberos
Supported on
At least Windows Server 2003 operating systems or Windows XP Professional

Supported OS tags: Windows10, Windows10RT, Windows11, Windows7, Windows8, Windows81, WindowsRT, WindowsRT81, WindowsServer2003, WindowsServer2008, WindowsServer2012, WindowsServer2012R2, WindowsServer2016, WindowsVista, WindowsXP

This policy setting allows you to set the value returned to applications which request the maximum size of the SSPI context token buffer size. The size of the context token buffer determines the maximum size of SSPI context tokens an application expects and allocates. Depending upon authentication request processing and group memberships, the buffer might be smaller than the actual size of the SSPI context token. If you enable this policy setting, the Kerberos client or server uses the configured value, or the locally allowed maximum value, whichever is smaller. If you disable or do not configure this policy setting, the Kerberos client or server uses the locally configured value or the default value. Note: This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes.

Internal name
MaxTokenSize
Policy ID
8779fabd0c9f
Elements
1

Registry values

How enabled and disabled states update the registry.

ScopeRegistry locationTypeEnabled valueDisabled valueCopy
Computer
Path
System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Value name
EnableMaxTokenSize
REG_DWORD
HKLM
1
HKLM
0
Registry location
Type REG_DWORD · Computer
Path
System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Value name
EnableMaxTokenSize
Hive
HKLM
Enabled value
1
Disabled value
0

Policy elements

Inputs and configuration options exposed by this policy.

ScopeElementTypeRegistry mappingConstraints & behaviorCopy
Computer
Maximum size
ID MaxTokenSize
decimal
Path
System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Value name
MaxTokenSize
Type
REG_DWORD
Range: 12000 to 2147483647
Maximum size
Computer · Type decimal
Registry mapping
Path
System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Value name
MaxTokenSize
Type
REG_DWORD
Details
Range: 12000 to 2147483647