DetailPage-MSS-KB

Microsoft small business knowledge base

Article ID: 2020943 - Last Review: March 17, 2010 - Revision: 22.0

Symptoms

A domain user attempts to browse to a website hosted on Internet Information Services (IIS) 6.0 or higher by using Internet Explorer 6.0 or later.  The website is configured to use Kerberos authentication.  Instead of receiving the expected web page, the user is presented with an error message similar to the following:

HTTP 400 - Bad Request (Request header too long)

 

Cause

This issue may occur when the user is a member of many Active Directory user groups. When a user is a member of a large number of active directory groups the Kerberos authentication token for the user increases in size. The HTTP request that the user sends to the IIS server contains the Kerberos token in the WWW-Authenticate header, and the header size increases as the number of groups goes up.  If the HTTP header or packet size increases past the limits configured in IIS, IIS may reject the request and send this error as the response.

 

Resolution

To work around this problem, choose one of the following options:

A) Decrease the number of Active Directory groups that the user is a member of.

OR

B) Modify the MaxFieldLength and the MaxRequestBytes registry settings on the IIS server so the user's request headers are not considered too long.  To determine the appropriate settings for the MaxFieldLength and the MaxRequestBytes registry entries, use the following calculations:

    1. Calculate the size of the user's Kerberos token using the formula described in the following article:

           New resolution for problems with Kerberos authentication when users belong to many groups
           
      http://support.microsoft.com/kb/327825


    2. Configure the MaxFieldLength and the MaxRequestBytes registry keys on the IIS server with a value of 4/3 * T, where T is the user's token size, in bytes.  HTTP encodes the Kerberos token using base64 encoding and therefore replaces every 3 bytes in the token with 4 base64 encoded bytes.  Changes that are made to the registry will not take effect until you restart the HTTP service. Additionally, you may have to restart any related IIS services.

 

NOTE: Depending on your application environment, you could also consider configuring the web site to use NTLM instead of Kerberos to work around this problem.  Some application environments require Kerberos to be used for delegation purposes, and Kerberos is more secure than NTLM, so it is recommended that you do not disable Kerberos before considering the security and delegation ramifications of doing so.


 

More Information

By default, the MaxFieldLength registry entry is not present. This registry entry specifies the maximum size limit of each HTTP request header. The MaxRequestBytes registry entry specifies the upper limit for the total size of the Request line and the headers. Typically, this registry entry is configured together with the MaxRequestBytes registry entry. If the MaxRequestBytes value is lower than the MaxFieldLength value, the MaxFieldLength value is adjusted.  In large Active Directory environments, users may experience logon failures if the values for both these entries are not set to a sufficiently high value.

For Internet Information Services (IIS) 6.0 and later, the MaxFieldLength and MaxRequestBytes registry keys are located at HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters.  Configure them as shown in the following table:

 

Name 

 Value Type

 Value Data

 MaxFieldLength

 DWORD

 (4/3 * T bytes) + 200 

 MaxRequestBytes

 DWORD

 (4/3 * T bytes) + 200

 

Alternatively you may set the registry keys to their maximum values shown below. The Administrator should consider all potential security ramifications if he makes any changes to the registry settings:

   

Name 

 Value Type

Value Data 

 MaxFieldLength

 DWORD

 65534

 MaxRequestBytes

 DWORD

 16777216

 

IMPORTANT: Changing these registry keys can be considered extremely dangerous. These keys allow larger HTTP packets to be sent to IIS, which in turn may cause Http.sys to use more memory and may increase vulnerability to malicious attacks.

 

NOTE: If MaxFieldLength is configured to its maximum value of 64KB, then the MaxTokenSize registry value should be set to 3/4 * 64 = 48KB.  For more information on the MaxTokenSize setting, please see the Microsoft knowledge base article KB327825 listed below.

 

 

More Information about the topics discussed in this article can be found at the following locations:

Http.sys registry settings for IIS
http://support.microsoft.com/kb/820129/en-us

 

Error logging in HTTP API
http://support.microsoft.com/?id=820729

 

New resolution for problems with Kerberos authentication when users belong to many groups
http://support.microsoft.com/kb/327825

 

Error message when an Outlook Web Access user tries to access a mailbox in Exchange Server 2003
http://support.microsoft.com/kb/920862

 

  

Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use (http://go.microsoft.com/fwlink/?LinkId=151500) for other considerations.

APPLIES TO
  • Microsoft Internet Information Services 6.0
  • Microsoft Internet Information Services 7.0
  • Microsoft Internet Information Services 7.5
Keywords: 
KB2020943
Share
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support