To Reduce the Size of a Kerberos Ticket (Sun OpenSSO Enterprise 8.0 Administration Guide)

Sun OpenSSO Enterprise 8.0 Administration Guide

Previous: To Create a User in the Windows Domain Controller
Next: To Set Up Internet Explorer

To Reduce the Size of a Kerberos Ticket

All Active Directory groups to which a user belongs are encoded within an issued Kerberos ticket, increasing the size of the HTTP header. Choose one of the following options to reduce the ticket's size.

Increase the default maximum header size of the web container being used.

For example, when using Glassfish replace:

<connection-pool max-pending-count="4096" 
queue-size-in-bytes="4096" receive-buffer-size-in-bytes="4096" 
send-buffer-size-in-bytes="8192"/>

with

<connection-pool max-pending-count="4096" 
queue-size-in-bytes="65536" receive-buffer-size-in-bytes="65536" 
send-buffer-size-in-bytes="65536"/>

Disable the PAC for the OpenSSO service account

This is the Microsoft extension to Kerberos that contains the Active Directory groups. See http://support.microsoft.com/kb/832572.

Previous: To Create a User in the Windows Domain Controller
Next: To Set Up Internet Explorer