Change in Kerberos of Windows 2012 may cause access denied
In a meeting with Microsoft PFEs Gilson Banin and Marcelo Ferratti was commented on a change in how Windows 2012 generates a Kerberos Authentication Ticket, called “KDC SID Resource Compression“.
As is already known, an authentication Ticket takes the user’s SID and the groups of which it is part, besides the SID History migration cases before. In some cases, mainly very large domains, the Ticket could burst the default limit of 12 Kb and generate authentication problems. It is worth remembering that for the same reason a user cannot be part of more than 1024 groups.
Today the Ticket (PAC) is composed of complete SIDs: the default values of ID (S-1-5), the domain SID and RID the individual object in the last block:
Change in Windows 2012
The change in the KDC is to no longer include in the repeating data Ticket, the Ticket generated by a Domain Controller with Windows 2012 gets smaller and solves the problem it is necessary to change the size of the Ticket.
Thus, the same Ticket would be the previous example:
The problem is that servers prior to Windows 2012 does not “understand” the new Ticket and will only access the ACEs that are complete, so the user could access locations where permission was granted in cases 1 and 4 of the example, but you would not if the permission is one of the other SIDs.
In a field where there are still servers prior to Windows 2012, which includes the Windows 2008 R2, access to the file server, Exchange, and any other which is based on Kerberos will have access denied problems.
Create a Dword Registry key DisableResourceGroupsFields in HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kdc\Parameters to disable this feature.
More Information: http://support.microsoft.com/kb/2774190