Error on Application launch: Access Denied during Windows Logon

Error on Application launch: Access Denied during Windows Logon

book

Article ID: CTX138329

calendar_today

Updated On:

Description

When a user launches a published application they see Access denied error during Windows logon. Problem does not happen for all users and happens only for a subset of users.

Environment

Caution! Using Registry Editor incorrectly can cause serious problems that might require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.

Resolution

To resolve the issue, create a new REG_DWORD at the following registry path on the server to increase the Kerberos MaxTokenSize:

Caution! Refer to the Disclaimer at the end of this article before using Registry Editor.

HKLM\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Name: MaxTokenSize
Type: REG_DWORD
Value: 48000 (Decimal)

Note: After modifying the registry, restart the server.


Problem Cause

The user launching the published application is member of a large number of groups.

Additional Information

https://blogs.technet.microsoft.com/shanecothran/2010/07/16/maxtokensize-and-kerberos-token-bloat/
Thread: "Access is Denied" for one user in Xenapp 6
How to use Group Policy to add the MaxTokenSize registry entry to multiple computers