![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 21%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EML%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 90%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EQQ%3C/text%3E%3C/svg%3E)
Hello Mei Lin,
You are correct in suspecting Kerberos token bloat. When a user account is a member of too many Active Directory security groups, the PAC data in the Kerberos ticket exceeds the default MaxTokenSize, which results in HTTP 400 Bad Request errors on IIS or other intranet portals. By default, Windows sets MaxTokenSize to 48,000 bytes, but in practice IIS and certain applications fail once the token grows beyond ~12,000–16,000 bytes.
The immediate remediation is to adjust the registry key HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\MaxTokenSize to a higher value, for example 65535, and then reboot the affected servers. At the same time, you should review group memberships for the impacted users, since excessive nested groups are the root cause and can lead to performance and authentication issues across multiple services. Microsoft’s best practice is to keep group memberships lean and avoid unnecessary nesting.
If my answer is useful for you, please hit Accept the answer to support me.
Thank you,
QQ.