October 1 2013

Remote WMI queries fail due to Kerberos token size

This post may be helpful for someone else having trouble in this unique scenario. The relevant points are:

  • Server01 exists in AD Site01 and Site01 is in Country01.
  • Server02 exists in AD Site01 and Site01 is in Country01.
  • Server03 exists in AD Site02 and Site02 is in Country02.
  • WMI queries from Server01 to Server02 work fine.
  • WMI queries from Server01 to Server03 fail. All methods of WMI queries fail – MMC, wbemtest, wmic and gmwi (Powershell) – the error message it either RPC server is unavailable or Call was canceled by the message filter.
  • Other calls in the RPC dynamic port range worked fine – for example remote MMC, remote event viewer.
  • Network Monitor shows no communication problems, successful RPC communication is obvious.
  • Firewalls (software and hardware) logs have been checked and traffic flowing as expected.

To cut a very long story short, the problem was that the maximum allowed Kerberos token size wasn’t big enough on both the source and destination servers – after increasing the MaxTokenSize to 65535 bytes (the maximum allowed) on both servers (plus a restart), remote WMI queries started to work.

Registry key to be updated:

reg add HKLMSYSTEMCurrentControlSetControlLsaKerberosParameters /v MaxTokenSize /t REG_DWORD /f /d 65535

More information on MaxTokenSize – http://support.microsoft.com/kb/327825/en-us.

Hopefully this helps someone out.



I use a maximum of one Google Ad per post to help offset some of my blog hosting costs.


Category: Windows | LEAVE A COMMENT