Allow Max Token Size on IIS

Hello,

Many of you may already had to increase the Active Directory TokenSize to allow users to be member of a lot of groups.We usually see this when the security on file server are managed on a per folder basis. This imply at least two groups for each directory, which can result in a lot of groups for a user to access a lot of folders (Especially before Windows Server 2012).

When you increase the size of the Active Directory TokenSize, you may experience issues on your IIS servers that uses Active Directory authentication. This is cause by default IIS configuration that doesn’t understand large token. you can remediate this by modifying those two registry keys :

Set-ItemProperty -Path "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesHTTPParameters" -Name MaxFieldLength -Value 65534 #Reg_DWord
Set-ItemProperty -Path "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesHTTPParameters" -Name MaxRequestBytes -Value 65534 #Reg_DWord

 

Leave a Reply