When browsing a website, there is an ongoing client server interaction, which at times can be broken due to a bad server response. Consider all potential security ramifications before you make any changes to the registry settings.A 404 Bad Request Error is a type of server response code. You can also set the registry keys to their maximum values, as shown in the next table. Set the key values as shown in the following table: Name In large Active Directory environments, users may experience logon failures if the values for both these entries aren't set to a sufficiently high value.įor IIS 6.0 and later, the MaxFieldLength and MaxRequestBytes registry keys are located at the following sub key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters If the MaxRequestBytes value is lower than the MaxFieldLength value, the MaxFieldLength value is adjusted. Typically, this registry entry is configured together with the MaxRequestBytes registry entry. The MaxRequestBytes registry entry specifies the upper limit for the total size of the Request line and the headers. This entry specifies the maximum size limit of each HTTP request header. ![]() More informationīy default, there is no MaxFieldLength registry entry. And we recommend that you don't disable Kerberos authentication before you consider the security and delegation ramifications. We consider Kerberos authentication to be more secure than NTLM. Some application environments require Kerberos authentication to be used for delegation. Additionally, you may have to restart any related services, such as IIS services.ĭepending on your application environment, you might also work around this problem by configuring the website to use Windows NT LAN Manager (NTLM) instead of Kerberos. Changes that are made to the registry do not take effect until you restart the HTTP service. This replaces every three bytes in the token with four base64-encoded bytes. HTTP encodes the Kerberos token by using base64 encoding. Set the value of MaxFieldLength and MaxRequestBytes on the server to 4/3 * T bytes, where T is the user's token size in bytes. To determine the appropriate settings, use the following calculations:Ĭalculate the size of the user's Kerberos token by using the formula described in the following article: Problems with Kerberos authentication when a user belongs to many groups. Increase the settings for the MaxFieldLength and the MaxRequestBytes registry entries on the server so that the user's request headers don't exceed these values. Workaround 2: Set MaxFieldLength and MaxRequestBytes registry entries ![]() Workaround 1: Decrease the number of Active Directory groupsĭecrease the number of Active Directory groups that the user is a member of. The HTTP request to the server contains the Kerberos token in the If the HTTP header or packet size increases past the limits that are configured on the server, the server may reject the request and send an error message as the response. ![]() This issue may occur if the user is a member of many Active Directory user groups. This response could be generated by any HTTP request that includes Windows Remote Management (WinRM). HTTP 400 - Bad Request (Request header too long) However, instead of receiving the expected webpage, you receive an error message that resembles the following one: The website is configured to use Kerberos authentication. Original product version: Windows Server 2016 Original KB number: 2020943 SymptomsĪn HTTP request that needs Kerberos authentication is sent from a browser to a website that's hosted on IIS. This article helps you work around the HTTP 400 error that occurs when the HTTP request header is too long. When an HTTP request that needs Kerberos authentication is sent to a website that's hosted on Internet Information Services (IIS) and is configured to use Kerberos authentication, the HTTP request header would be very long.
0 Comments
Leave a Reply. |