Recently, I had the unpleasant requirement to validate Kerberos token size for a network where users were experiencing random issues hitting certain sites and databases. Today I validated it was token size, but not until after I found Jacob Ludriks’ excellent PowerShell script to do so. I was about to write one myself when I stumbled across this gem, which came in immensely useful in helping a good colleague in a bad situation.
Without further ado, here’s the link to the script:
http://jacob.ludriks.com/getting-kerberos-token-size-with-powershell/
In the event this script ends up getting taken down, here’s the content – please visit Jacob’s site if you find this useful. He’s got some other PowerShell goodies over there too that you might like.
# Always credit where due - this was found via
# http://jacob.ludriks.com/getting-kerberos-token-size-with-powershell/
#Gets max token size
#Run with .\get_tokensize.ps1 -Username "domain\username"
#Reference: http://support.microsoft.com/kb/327825
#tokensize = 1200 + 40d + 8s
Param(
[Parameter(Mandatory=$True)]
[String]$Username
)
$domain = ($username.split("\"))[0]
$user = ($username.split("\"))[1]
Import-Module ActiveDirectory
$rootdse = (Get-ADDomain $domain).distinguishedname
$server = (Get-ADDomain $domain).pdcemulator
$usergroups = Get-ADPrincipalGroupMembership -server $server $user | select distinguishedname,groupcategory,groupscope,name
$domainlocal = [int]@($usergroups | where {$_.groupscope -eq "DomainLocal"}).count
$global = [int]@($usergroups | where {$_.groupscope -eq "Global"}).count
$universaloutside = [int]@($usergroups | where {$_.distinguishedname -notlike "*$rootdse" -and $_.groupscope -eq "Universal"}).count
$universalinside = [int]@($usergroups | where {$_.distinguishedname -like "*$rootdse" -and $_.groupscope -eq "Universal"}).count
$tokensize = 1200 + (40 * ($domainlocal + $universaloutside)) + (8 * ($global + $universalinside))
Write-Host "
Domain local groups: $domainlocal
Global groups: $global
Universal groups outside the domain: $universaloutside
Universal groups inside the domain: $universalinside
Kerberos token size: $tokensize"