We have an issue that when a user is a member of too many Windows AD (2003) security groups (roughly 65) they won't get authenticated by our ACS 4.1.
The 1st thing we investigated was the Windows Kerberos authentication issue. Which basically says that if a user is a member of more than 70 security groups then Kerberos authentication might fail. However we've used the tokensz.exe tool to calculate that the affected users Kerberos Token size isn't above the problem 12,000 bytes. Link to that issue http://technet.microsoft.com/en-us/library/cc757478%28WS.10%29.aspx
On the ACS, when a user is a member of too many security groups, the error message is "External user not found". When the user is brought down to the "magic" number of security groups authentication works no problem.
At the same time on the DC errors can be found in the CSWinAgent.log file.
CSWinAgent 01/18/2010 12:25:23 A 0063 5720 NTLIB: Insufficient space for all of user [email protected] certificates
CSWinAgent 01/18/2010 12:25:23 A 0063 5720 NTLIB: Group list buffer is too small for getting full groups list.
So we are starting to think that the DC and / or CSWinAgent is causing us issues. Has anyone experienced similar issues?