On 28/11/2013 10:42 p.m., Berthold Zettler wrote: > Hi Madhav, > > > > all relevant a systems (AD-Controllers and the clients (Windows 7)) have a value for "MaxTokenSize" of 65535. > > Therefore i don't think, that this failure was caused by AD- or client settings. > > The tokensize (27332) reported by the MS tokensz.exe tool is far below this value. > Our other kerberized systems (Apaches) are working fine with this large tokensize. > > So i think it's a squid / buffer or kerberos-helper related issue That MAX_AUTHTOKEN_LEN (64KB) is what is used directly to allocate the Squid buffer and helper buffer and the base-64 encoded version of the token needs to fit inside it along with the 3-5 helper protocol bytes. A bigger problem is the Squid network I/O parsing. The buffer holding HTTP headers also has a default maximum length of 64KB ... for the entire HTTP header block. http://www.squid-cache.org/Doc/config/request_header_max_size/ http://www.squid-cache.org/Doc/config/reply_header_max_size/ If you need to you can bump those up to around 256KB before you start to hit other limits in the primary I/O buffer itself. PS. you should also look to the library Squid is using. It may have limits or problems of its own separate from the Apache systems library. PPS. The IETF HTTPbis WG did an analysis of many software a while back and concluded that the maximum generlly acceptible HTTP header length was 4KB. Squid with its 64KB limit is one of the more accepting out there. So be careful of *any* other software involved with that traffic. Amos