XenApp 6 you may encounter error "Access is Denied" for few specific users while launching the application.
Symptoms:
- Error occurs for only few users for all published applications
- The same applications run for many other users without any issues
- There are no access differences for reported users w.r.t XenApp 6 or Windows rights and permissions
Cause:
Such an issue can happen for specific user accounts when they are part of large number (say 500+) of Active Directory groups. Due to which the Windows user rights enumeration fails since the default Kerboros MaxToken Size (12,000 bytes) can’t accommodate the details to huge group membership.
Workaround:
Increase the Kerboros MaxToken Size via registry as given below, on the XenApp 6 servers, from 12,000 bytes to 65535 bytes.
Below is the registry location for "MaxTokenSize"
- SystemCurrentControlSetControlLsaKerberosParameters
- If this key "MaxTokenSize" is not present, create the key
- Right-click Parameters, point to New, and then click DWORD (32-bit) Value.
- Name the registry entry "MaxTokenSize".
- Right-click "MaxTokenSize", and then click Modify.
- Under Base, click Decimal.
- Type 65535, and then click OK
Recommended Fix:
Don’t configure large AD groups memberships for user accounts. This indeed keeps all user specific AD actions like logon, profile creation on new logons, logoff, etc., to run faster.
