Description
SEC_E_TOKEN_TOO_LARGE (hex code 0x80090317, decimal -2146893033) is a Windows warning-level error code in the Active Directory & Kerberos family. Microsoft surfaces this code through the Win32 API, the Common Language Runtime, the kernel, the event log, PowerShell, command-line tools (sfc, dism, gpupdate, sc), and Windows-side applications such as Outlook, Teams, Office, and System Center.
The security token exceeds the maximum allowed size. Too many group memberships — Kerberos token bloat.
This page documents what triggers 0x80090317, the most common scenarios where it appears, the likely root causes, and a step-by-step troubleshooting workflow you can run against affected endpoints. It is intended for system administrators, MSP technicians, helpdesk engineers, and anyone diagnosing Windows behavior in a managed environment.
In-depth explanation
This is a warning-severity code. The operation did not necessarily fail; Windows may have completed it with side effects, conflicts, or a state that requires user attention. It is normally safe to retry, but should still be logged so repeated occurrences can be triaged.
It is part of the Active Directory / Kerberos / SSPI error space. These codes typically surface in the Security event log, on the client side via Outlook, RDP, file shares, or SQL Server, and on the domain controller side in Netlogon.log and kerberos traces.
The code can be looked up programmatically in PowerShell with [ComponentModel.Win32Exception]::new(-2146893033).Message (for Win32 / NTSTATUS codes that map cleanly), or with net helpmsg <decimal> for the legacy decimal range. For HRESULT-style codes, decode the facility and code with err.exe from the SDK or via the WinDbg !error command.
Common causes
- Time skew between client and DC greater than 5 minutes (Kerberos hard limit).
- Missing or duplicate Service Principal Name (SPN) on the target service account.
- Computer account password out of sync with AD — rejoin the domain or run
nltest /sc_reset. - DNS resolution failing for the DC — verify
_kerberos._tcp.<domain>SRV records. - Trusted root or intermediate CA missing on the client (smartcard / PKINIT scenarios).
Troubleshooting steps
- Verify time sync with
w32tm /query /status— both client and DC must be within 5 minutes of each other. - Check SPNs:
setspn -L <account>on the service account, andsetspn -Xacross the forest to detect duplicates. - Re-establish the secure channel from an affected member:
nltest /sc_verify:<domain>, thennltest /sc_reset:<domain>if needed. - Validate DNS: from the client,
nslookup -type=SRV _kerberos._tcp.<domain>must return reachable DCs. - Capture a network trace with
netsh traceor Wireshark filtered onkerberosto see the exact AS/TGS error code.
Decode in PowerShell
# Decode 0x80090317 (-2146893033) in PowerShell
[ComponentModel.Win32Exception]::new(-2146893033).Message
# Or via WinDbg / err.exe (Windows SDK)
# err 0x80090317
# Or net helpmsg (legacy decimal range only)
# net helpmsg <decimal>Frequently asked questions
What does the Windows error code 0x80090317 mean?
SEC_E_TOKEN_TOO_LARGE (decimal -2146893033). The security token exceeds the maximum allowed size. Too many group memberships — Kerberos token bloat.How do I decode 0x80090317 in PowerShell?
[ComponentModel.Win32Exception]::new(-2146893033).Message in any PowerShell session. For HRESULT-style codes, use err.exe from the Windows SDK or the WinDbg !error command.Where does Windows typically log this error?
%WinDir%\WindowsUpdate.log; AD/Kerberos → Security event log on the DC; BSOD → minidump under C:\Windows\Minidump; MSI → %TEMP%\msi*.log; WMI → Microsoft-Windows-WMI-Activity). Always cross-reference the timestamp and module name with the Application and System event logs.Is this code recoverable?
Should I open a Microsoft support case for this?
Get-WinEvent export ready before opening the case.