Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP APM
Fixed In:
16.1.0
Opened: Sep 11, 2020 Severity: 3-Major
According to Microsoft (see https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/logging-on-user-account-fails), logging on a user account that is a member of more than 1,010 groups (or close to that range) may fail on a Windows Server-based computer. So session variable for group SIDs in Kerberos Auth agent has max limit around 256KB. Also session variable for group names in AD Group SID Resolver agent has max limit of 384KB.
1. User is unable to log in to windows account 2. User is denied access to the resource protected by the APM policy
1. User account is a member of more than 1,010 groups (or close to this range) 2. Concatenated group names for the user's group membership is more than 384KB
1. Reduce user's group membership 2. Shorten the DNs for the groups
The user group SIDs max limit is enforced by Microsoft. The user group names max limit is enforced by BIG-IP APM to protect system resources.