If you run into the following error when trying to logging in to your SQL server from a remote computer using SQL Management studio:
You might see the following error in the SQL server logs:
Date 01.01.2012 08:26:37 Log SQL Server (Current - 04.10.2012 08:26:00) Source Logon Message Error: 17832, Severity: 20, State: 8.
Date 01.01.2012 08:26:37 Log SQL Server (Current - 01.01.2012 08:26:00) Source Logon Message The login packet used to open the connection is structurally invalid; the connection has been closed. Please contact the vendor of the client library. [CLIENT:]
The SQL Server computer was unable to process the client login packet. This may be because the packet was created improperly or because the packet was damaged during transmission. It can also be caused by the configuration of the SQL Server computer. The IP address listed is the address of the client computer.
When using Windows Authentication in a Kerberos environment, a client receives a Kerberos ticket that contains a Privilege Attribute Certificate (PAC). The PAC contains various types of authorization data including groups that the user is a member of, rights the user has, and what policies apply to the user. When the client receives the Kerberos ticket, the information contained in the PAC is used to generate the user’s access token. The client presents the token to the SQL Server computer as part of the login packet.
If the token was improperly created or damaged during transmission, SQL Server cannot offer additional information about the problem.
When the user is a member of many groups or has many policies, the token may grow larger than normal to list them all. If the token grows larger than the MaxTokenSize value of the server computer, the client fails to connect with a General Network Error (GNE) and error 17832 can occur. This problem may affect only some users: users with many groups or policies. When the problem is the MaxTokenSize value of the server computer, error 17832 in the SQL Server error log will be accompanied by an error with state 9. For additional details about the Kerberos and MaxTokenSize , see KB327825http://support.microsoft.com/kb/327825
To resolve this problem, increase the MaxTokenSize value of the server computer, to a size large enough to contain the largest token of any user in your organization. To research the correct token size for your organization, consider using the Tokensz application. For more information, see http://go.microsoft.com/fwlink/?LinkId=111047http://go.microsoft.com/fwlink/?LinkId=111047
Incorrectly editing the registry can severely damage your system. Before making changes to the registry, we recommend that you back up any valued data on the computer.
To change the MaxTokenSize on the server computer:
On the Start menu, click Run.
- Type regedit, and then click OK. (If the User Account Control dialog box appears, click Continue.)
- Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters.
- If the MaxTokenSize parameter is not present, right-click Parameters, point to New, and then click DWORD (32-bit) Value. Name the registry entry MaxTokenSize.
- Right-click MaxTokenSize, and then click Modify.
- In the Value data box type the desired MaxTokenSize value.
Hexadecimal value ffff (decimal value 65535) is the maximum recommended token size. Providing this value would probably solve the problem, but could have negative computer-wide effects with regard to performance. We recommend that you establish the minimum MaxTokenSize value that allows for the largest token of any user in your organization and enter that value.
- Click OK.
- Close Registry Editor.
Restart the computer.