SID Compression, as seen through a packet capture

The following was demonstrated to me a few years back while at an ADDS ’12 training class. Having a background in networking I figured I’d try it out in my lab. The lab for this consists of 1x 2008 DC and 1x 2012 DC. I have a Windows 8.1 client that will access a file share on the server wds01 while first only the 2008 DC is online and again while only the 2012 DC is online. Using Network Monitor we can see the KRB_TGS_REP message in reply to the windows 8.1 client’s KRB_TGS_REQ message. What we’re interested in is the size of the KRB_TGS_REP message when leveraging the 2008 DC vs. the 2012 DC. To start, I've added the user “joey” to 1k domain local groups. Why domain local, because SID compression for domain local groups is new in 2012 whereas before only global groups inside the users domain and universal groups inside or outside of the user domain were compressed.

Below you can see that accessing the service principal cifs/ has generated service ticket request "KRB_TGS_REQ" to the ticket granting service (TGS). Remember, this is the 2008 DC. In reply to the service ticket request the TGS generates a service ticket "KRB_TGS_REP" which contains the user's authentication data (e.g. SID and SIDs of groups that the user is a member of). Check out the 41,542 byte size, it's just under the 2012 ADDS 48,000 byte MaxTokenSize. 

Doing the same example as above but now with the 2008 DC offline and the 2012 DC online we can see a significant difference in the "KRB_TGS_REP" size. Pretty cool, 2012 SID compression in action.

Note, several details of Kerberos were glazed over here in addition to how SID compression actually works with regards to the de-duplication of domain SIDs. For a full detailed explanation I suggest reading Chapter 8 in the Windows Server 2008 Active Directory Resource Kit and checking out the first reference listed below. 


SID Compression

Problems with Kerberos authentication when a user belongs to many groups

New features in Active Directory Domain Services in Windows Server 2012, Part 21: Resource SID Compression