Watch the AD World Burn

Every once and a while I want, need, to watch the world burn. Today I’m sitting on a SEV A bridge trouble shooting FIM not attaching to EWS correctly and I hit the end my knowledge. We escalated to the on call Developer on the EWS team and he tells us he’s been busy today and is going out to dinner- Le sigh. At that point in my day I went from happy face to sad annoyed face panda. Then I wanted to watch the world burn, so I wrote some PowerShell someone with elevated access could run to make active directory stop working company wide. My first thought was “I bet I could do this as a one-liner” – but 15 semi colons is not really a one-liner. World burning AD token too big attached, Ended up being the four lines of code below

The KB reference has a great title “Logging on a user account that is a member of more than 1010 groups may fail on a Windows Server-based computer” – The script abuses the MAXTOKENSIZE limitation of Kerberos or NTLM authentication. Tokens are magically unicorn name tags people use to log in to AD. Like most unicorn’s, tokens have a binary multiple maximum number of things they can hold. In our case 1024 SID’s is the max number of SIDs you can hold in a token. In AD there’s a base level number of groups you have to be a member of. Those default groups + 1010 is enough to put 99% of users over 1024 SIDs in their token, and end their ability to login.

When a user with a token too big tries to login, AD says no thanks, sad face honey badger go away – or the official error message

Logon Message: The system cannot log you on due to the following error: During a logon attempt, the user’s security context accumulated too many security IDs. Please try again or consult your system administrator.

Every post needs a picture – for tonight’s picture, Maddex looking like he watched the world burn in front of the shed we tried to burn down last year.

I can neither confirm or deny testing the script posted above. Script is provided as is, and should never be used in real life. Run at your own risk and don’t blame for me being a dumb ass if you run it.

Leave a Reply