PingFederate and Active Directory Kerberos Tokens

An old AD issue that pops up from time to time is Kerberos Token Bloat. In a nutshell, the AD groups you’re a member of, the bigger your Kerberos Token. Eventually your token gets too big and stuff breaks.

In the most common use case, when you attempt to access a web site, the Kerberos token is encoded and placed in the Authorization header of the Internet Explorer HTTP request.

Servers receiving the HTTP request have a MaxTokenSize configured. Historically the MaxTokenSize was 12k. With Server 2012, this was bumped up to 48k - the maximum possible - constrained by HTTP Protocol. Some older documentation refers to a 65535 bytes, but this advice didn’t take into account that the kerberos token is Base64 encoded, which adds to the length of the token.

PingFederate is configured to have a header size 8K. When integrating with a Kerberos Forest, We’re typically upping this to 48K, in line with Windows 2012+ .