Microsoft Event Id 40960

Fixing Event ID 40960

We ran across an interesting problem today in our environment.

We had two users, interestingly enough they both have the same last name, who were being prompted to enter their credentials for nearly everything they touched, shared drives, printers. They were also having issue with outlook personal folders.

After looking in the event logs, we noticed the following error message.

01/01/1900 9:19:16 AM    LSA (LsaSrv)    40960    None

The description for Event ID 40960 from source LsaSrv cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

cifs/server.company.com
Kerberos
"{Buffer Too Small}
The buffer is too small to contain the entry. No information has been written to the buffer.
 (0xc0000023)"

The handle is invalid

Researching, we were able to locate this page from Microsoft's site. It indicates that "...you must set the MaxTokenSize registry value for all the computers that are involved in the Kerberos authentication process".

It even indicates that there is a service pack which may/will correct the issue depending on your operating system.

The problem was caused by the user being assigned to many groups. The culmination of all the group names characters exceeded the default MaxTokenSize byes.

To correct it, all you should have to do is to set the MaxTokenSize parameter under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters registry key. We created the MaxTokenSize parameter as a DWORD (32-bit) Value and set it to a decimal value of 65535.

Once we had the user reboot, the problem no longer occurred.

Here is the exact registry fix we used, you can paste it into a file with a .reg extension and use regedit /s <path to file> to silently import it into the affected systems registry.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
"MaxTokenSize"=dword:0000ffff
Important, Don't forget that the system needs to be rebooted!!

2 thoughts on “Fixing Event ID 40960”

Leave a Reply