Windows Remote Management (WinRM) does not accept HTTP authorization requests that are larger than 16 KB on a computer that is running Windows Server 2008 or Windows Vista
Consider the following scenario:
- You have Windows Remote Management (WinRM) installed on a computer that is running Windows Server 2008 or Windows Vista.
- You have a user security token that is larger than 16 KB because of the domain configuration.
Note: The size of the user security token grows together with the number of groups to which the user belongs.
- You start a WinRM operation from this computer. Or, you use another application that uses WinRM for communication, such as Microsoft System Center Virtual Machine Manager.
In this scenario, the operation fails and you receive following error code:
Additionally, the following event is logged in the System log:
Log Name: System Source: Microsoft-Windows-Security-Kerberos Date: Date & Time Event ID: 6 Task Category: None Level: Warning Keywords: Classic User: N/A Computer: Computer Name Description: The kerberos SSPI package generated an output token of size number bytes, which was too large to fit in the token buffer of size number bytes, provided by process id number. The output SSPI token being too large is probably the result of the user user name being a member of a large number of groups. It is recommended to minimize the number of groups a user belongs to. If the problem can not be corrected by reduction of the group memberships of this user, please contact your system administrator to increase the maximum token size, which in term is configured machine-wide via the following registry value: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\MaxTokenSize.
For more information on this issue, including potential causes, workarounds, and resolutions, see: Microsoft KB Article KB971244.