When you use a Microsoft Windows Server domain controller to join a Microsoft Windows based client computer to a domain, you may receive an error message that resembles the following on the client computer:
The following error occurred attempting to join the domain “domain_name.com”: Not enough storage is available to complete this operation.
Additionally, the following Warning message may be logged in the System log on the client computer.
This problem occurs because the Kerberos token that is generated during authentication is more than the fixed maximum size. In the original release version of Microsoft Windows 2000, the default value of the MaxTokenSize registry entry was 8,000 bytes. In Windows 2000 with Service Pack 2 (SP2) and in later versions of Windows, the default value of the MaxTokenSize registry entry is 12,000 bytes.
For example, if a user is a member of a group either directly or by membership in another group, the security ID (SID) for that group is added to the user’s token. For a SID to be added to the user’s token, the SID information must be communicated by using the Kerberos token. If the required SID information exceeds the size of the token, authentication is unsuccessful.
To resolve this problem, increase the Kerberos token size. To do this, follow these steps on the client computer that logs the Kerberos event.
- Click Start, click Run, type regedit, and then click OK.
- Locate and then click the following registry subkey:
Note If the Parameters key is not present, create the key. To do this, follow these steps:
a) Locate and then click the following registry subkey:
b) On the Edit menu, point to New, and then click Key.
c) Type Parameters, and then press ENTER.
- On the Edit menu, point to New, and then click DWORD Value.
- Type MaxTokenSize, and then press ENTER.
- On the Edit menu, click Modify.
- In the Base area, click Decimal, type 65535 in the Value data box, and then click OK.
- Exit Registry Editor.
- Restart the computer.
Related Article: Article ID 935744