New features in Active Directory Domain Services in Windows Server 2012, Part 21: Resource SID Compression

In the earlier 20 blogposts on new features in Active Directory Domain Services in Windows Server 2012, I’ve covered most of the main stream new features. Today, I’m covering a lesser known feature: SID Compression. While this feature has been around in earlier versions of Active Directory Domain Services in Windows Server, it has been enhanced in Windows Server 2012 to provide more value.

Along with related token features like the default larger size (48,000 bytes) and the capabilities to store claims as part of Dynamic Access Control it offers the path to solve token bloat.

 

SID Compression in earlier versions

In earlier versions of Active Directory Domain Services in Windows Server, SID Compression has been available for years.

When a Ticket Granting Ticket (TGT) is created, the SIDs for global groups and universal groups of the Active Directory domain the user account is a member of, are compressed in the authorization data field (PAC) of the TGT. Compression is achieved by storing the SID Namespace once with a shorter identifier. SIDs for group in this SID Namespace were then linked with their Relative ID (RID) to the SID Namespace through the identifier.

The following group SIDs are compressed:

  1. Global groups in the user’s account domain
  2. Universal groups in either the user’s account domain

All other group SIDs are uncompressed. This includes Domain Local Groups, SIDs from any other groups outside the Active Directory domain the user account is a member of (like SIDhistory) and SIDs for well-known groups.

 

SID Compression in Windows Server 2012

Along with other Kerberos Token logic, in Windows Server 2012 a new SID Compression scheme is used. This feature is called Resource SID Compression. It is enabled by default.

SID Compression can now also be used to compress Kerberos Service Tickets (STs), not just Kerberos Ticket Granting Tickets (TGTs), enabling the compression of SIDs for Domain Local Groups for the Active Directory domain the user account is a member of and any resource domains.

The following group SIDs will be compressed by default in Windows Server 2012:

  1. Global groups in the user’s account domain
  2. Domain local groups in the resource domain
  3. Universal groups in either the user’s account or resource domain
  4. SID history groups in either the user’s account or resource domain

The following group SIDs will not be compressed:

  1. Groups a user is a member of which are in other domains
  2. Well known SIDs

 

Disabling Resource SID Compression

Microsoft has identified some problems with the new SID Compression scheme in Microsoft KnowledgeBase article 2774190. Since Service Tickets (STs) now also feature SID compression and are the tickets that are presented to services (like file servers, web servers) these services need to understand the new scheme. If they don’t, obviously, access denied errors will be displayed.

When you’re running into this situation, you can disable resource SID compression on a Windows Server 2012 KDC using the DisableResourceGroupsFields registry value under the HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kdc\Parameters registry key.

This registry value has a DWORD registry value type. You completely disable resource SID compression when you set the registry value to 1. The Key Distribution Center (KDC) reads this configuration when building a service ticket. With the bit enabled, the KDC does not use resource SID compression when building the service ticket.

You do not need to reboot Domain Controllers after making these changes.

Related KnowledgeBase Articles

327825 Problems with Kerberos authentication when a user belongs to many groups
2774190 Resource SID Compression in Windows Server 2012 may cause authentication problems on NAS devices

Further reading

MaxTokenSize and Windows 8 and Windows Server 2012
3.3.5.5.3 Domain Local Group Membership
Key Distribution Center

Acknowledgements

Many thanks to Guido Grillenmeier, Lee Flight and Dean Wells.

Series Navigation

<< New features in Active Directory Domain Services in Windows Server 2012, Part 20: Dynamic Access Control (DAC)

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.