PingFederate and Active Directory Kerberos Tokens

An old AD issue that pops up from time to time is Kerberos Token Bloat. In a nutshell, the AD groups you’re a member of, the bigger your Kerberos Token. Eventually your token gets too big and stuff breaks.

In the most common use case, when you attempt to access a web site, the Kerberos token is encoded and placed in the Authorization header of the Internet Explorer HTTP request.

Servers receiving the HTTP request have a MaxTokenSize configured. Historically the MaxTokenSize was 12k. With Server 2012, this was bumped up to 48k - the maximum possible - constrained by HTTP Protocol. Some older documentation refers to a 65535 bytes, but this advice didn’t take into account that the kerberos token is Base64 encoded, which adds to the length of the token.

PingFederate is configured to have a header size 8K. When integrating with a Kerberos Forest, We’re typically upping this to 48K, in line with Windows 2012+ .

Ping offers some guidance on changing the size for the different versions here, but essentially for version 8, we want to make the following change in <installdir>\pingfederate\bin\start.ini, to give it the same max size as server 2012.

#jetty.request.header.size=8192
jetty.request.header.size=49152

If you’re curious about your own token size: * On the desktop, use tokensz

C:\temp>tokensz.exe /compute_tokensize

Name: Kerberos Comment: Microsoft Kerberos V1.0
Current PackageInfo->MaxToken: 48000

Using user to user
QueryKeyInfo:
Signature algorithm = HMAC-SHA1-96
Encrypt algorithm = Kerberos AES256-CTS-HMAC-SHA1-96
KeySize = 256
Flags = 2083e
Signature Algorithm = 16
Encrypt Algorithm = 18
   Start:9/22/2015 3:33:05
  Expiry:9/22/2015 12:31:44
Current Time: 9/22/2015 3:33:05
MaxToken (complete context)  6410

C:\temp>

public  static  BindUIColumn("Req-Header-Length")
function  CalcMethodCol2(oS:  Session){
    if (null != oS.oRequest)
        return oS.oRequest.headers.ByteCount().ToString();
    else
        return String.Empty;
}
public  static  BindUIColumn("Resp-Header-Length")
function  CalcMethodCol3(oS:  Session){
    if (null != oS.oResponse)
        return oS.oResponse.headers.ByteCount().ToString();
    else
        return String.Empty;
}