Cookie + kerberos

This seems to be like a misconfiguration of your PHP, Kerberos and/or Windows environment. The cookie generated by PHP/WordPress does *not* contain the security groups but only the session ID. In case it *does* contain the security groups, you have to configure PHP to store the session data on the server side. This should be the default btw.

On your Windows clients, you can set the registries’ MaxTokenSize to a higher value as described in https://blogs.technet.microsoft.com/shanecothran/2010/07/16/maxtokensize-and-kerberos-token-bloat/.
On the server running IIS you have to adjust the MaxFieldLength and MaxRequestBytes registry keys (https://www.grouppolicy.biz/2013/06/how-to-configure-iis-to-support-large-ad-token-with-group-policy/).

Hi thanks for reply. Let me be more clear.
I already set IIS side (MaxFieldLength, MaxRequestBytes) and client side (MaxTokenSize). That’s why I am able to log in at very first request.
But then it put whole kerberos ticket to cookie with some algorithm, and it hits with a limitation of cookie 4KB. At second request I get 401.

Thanks for helping me.

Michal

• This reply was modified 5 years, 9 months ago by mi0o.

Do you have checked the IIS’ Kerberos settings with https://blogs.iis.net/brian-murphy-booth/delegconfig-delegation-configuration-reporting-tool?

If you want us to take a look upon your settings and need an invoice for this, drop me a line. Conditions can be found at https://active-directory-wp.com/service-for-active-directory-and-wordpress/

Oh, and please note that the MaxTokenSize field has to be set on *all* computers, not only on the IIS host (https://support.microsoft.com/en-au/help/327825/problems-with-kerberos-authentication-when-a-user-belongs-to-many-grou).

• This reply was modified 5 years, 9 months ago by schakko.