Article ID: 955585 - View products that this article applies to.
The HTTP request that was sent to the IIS server had a request header that exceeded the allowable request header length configured on the IIS server. Specifically, the Authorization header contained a very large Kerberos authentication ticket. The kerberos ticket was so large because the user is a member of many groups in Active Directory.
For security purposes, the HTTP.sys component on the IIS server rejects the incoming HTTP request because it exceeds the configured size limits.
Configure the HTTP registry keys MaxFieldLength and MaxRequestBytes on the IIS server to allow for larger request header sizes.
IMPORTANT: Changing these registry keys is considered extremely dangerous. Increasing these keys' values will cause HTTP.sys to use more memory and may increase vulnerability to malicious attacks. If changing these keys is your only option, do not set their values larger than they need to be. Information on determining how large the request headers are and therefore what value to set the registry keys is found later in this article.
For more information on the HTTP.sys registry keys for IIS, please see the following article:
Http.sys registry settings for IIS (http://support.microsoft.com/kb/820129
For more information on HTTP.sys error logging, please see the following article:
Error logging in HTTP API (http://support.microsoft.com/kb/820729
To determine the actual HTTP request size, it can be helpful to use a network monitor trace. With this trace, we can calculate the size of the http request and compare it against the setting on the IIS server.
It is also useful to consult the HTTP.sys error log for information.
Determining HTTP Request SizeThe key to resolving this particular problem, was to show that CLM was trying to send a HTTP request to the server that is greater than either the default value of 16k, or greater than the custom setting in their MaxFieldLength & MaxRequestBytes. To do this, we can use a combination of:
Netmon3In the netmon trace, to determine how large the HTTP request is, use the following steps:
(http://go.microsoft.com/fwlink/?LinkId=151500)for other considerations.