Some users, after launching the DRA MMC, receive a message in the right hand pane saying 'Page canno (NETIQKB3310)

  • 7703310
  • 02-Feb-2007
  • 22-Jun-2007

Resolution

fact
Directory and Resource Administrator 6.x

symptom
Some users, after launching the DRA MMC, receive a message in the right hand pane saying 'Page cannot be displayed'

symptom
Both Assistant Admins are using the MMC at the same time and are connecting to the same DRA server with the same default web server.

cause
This issue occurs when a user is a member of a large number of groups.

The problem is seen while running Windows 2000 and IE 5.0. The DRA server is running IIS 5.0 and configured to use Windows Integrated Authentication.  In this configuration the IIS server requests Kerberos authentication from the IE client. The IE client, however, has a limited buffer size for the Kerberos token.  If the user is in a large number of groups, the buffer is filled and cannot generate a token.

This issue is described in Microsoft Knowledge Base articles Q277741 and Q269643.

fix

There are two solutions for this:

1) Configure IIS to use NTLM instead of Kerberos. This can be done by running the script syntax below from the inetpub\AdminScripts directory and then restarting the IIS Admin Service.

adsutil set w3svc/NTAuthenticationProviders "NTLM"

This solution works if the IIS server is located on the same server as the DRA server. If the IIS server is located on a separate server, you must use either Basic Authentication or Kerberos due to limitations with pass-through authentication and NTLM. See Microsoft Knowledge Base article Q215383 for details regarding this.



fix


2) Upgrade IE to 5.01 SP2 or higher and perform the following steps to increase the Kerberos token buffer size:

  1. Launch Regedt32.
  2. Navigate to the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos registry key.
  3. Select Add Key from the Edit menu.
  4. Type Parameters in the Key Name: field and click OK.
  5. Highlight the Parameters key and select Add Value from the Edit menu.
  6. Type MaxTokenSize in the Value Name: field.
  7. Select REG_DWORD fom the list in the Data Type: field.
  8. Select Decimal for the Radix value and enter 100,000 in the Data: field.
  9. Close Regedt32.

A 100KB token is equivalent to approximately 900 groups. This change must be made on each client. The same change is also required for Windows 2000 clients with IE5.5 and IE6.0 that use the NetIQ MMC snap-in if the Assistant Admin is in a large number of groups.

NetIQ recommends reviewing the Microsoft articles above to determine the best solution for your environment.



note
Warning: Using the Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. NetIQ Technical Support cannot guarantee that problems resulting from the incorrect use of the Registry Editor can be resolved. Make sure that you back up your Registry prior to making any changes.

Additional Information

Formerly known as NETIQKB3310

Feedback service temporarily unavailable. For content questions or problems, please contact Support.