FIX: HTTP cookie headers are not forwarded to the published server in Forefront Unified Access Gateway 2010 when the total cookie header size in the client request exceeds 5,120 bytes

Article translations Article translations
Article ID: 2812389 - View products that this article applies to.
Expand all | Collapse all

On This Page

Symptoms

Microsoft Forefront Unified Access Gateway (UAG) 2010 does not forward the HTTP cookie header to the published server when the total cookie header size in the client request exceeds 5,120 bytes (5 KB).

Cause

This problem is caused by a Forefront UAG HTTP header parsing function when the total length of all HTTP cookie headers in the request exceeds the limit of the Forefront UAG maximum cookie header length buffer. When this cookie header length value is too large, the function returns a NULL cookie header in the request that is forwarded to the published resource. 

Resolution

To resolve this problem, install the service pack that is described in the following Microsoft Knowledge Base article:

2744025 Description of Forefront Unified Access Gateway 2010 Service Pack 3

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More information

Although the size of a single cookie that a web browser sends can be 4 KB, the total request cookie header size may be larger because this total size may include multiple cookies or even multiple cookie headers. In addition, external applications that create lots of individual cookies may generate the client HTTP request, and this increases the total HTTP cookie header size. 

Active Directory Federation Services (AD FS) 2.0 claims authentication that is configured for a Forefront UAG trunk together with a published Microsoft SharePoint application also use claims authentication. This is true especially in the case in which there is a federated AD FS implementation. In this particular scenario, the total cookie header length can become fairly large. If the client request cookie header is not forwarded appropriately to the published AD FS or SharePoint application, the user may experience intermittent authentication failure or additional AD FS realm selection pages.

Because there may be multiple scenarios that result in a client request that has a total cookie header size greater than 5,120 bytes, Forefront UAG was changed to handle these requests appropriately.

References

For more information about Http.sys settings for Windows, go to the following Microsoft TechNet website:

Http.sys registry settings for Windows
For more information about cookies in Internet Explorer, go to the following Microsoft TechNet website:

Number and size limits of a cookie in Internet Explorer
For more information about the RFC 2109 specifications, go to the following websites:

Internet Engineering Task Force (IETF) RFC 2109 specifications

World Wide Web Consortium (W3C) RFC 2109
For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

Properties

Article ID: 2812389 - Last Review: February 20, 2013 - Revision: 1.0
Applies to
  • Microsoft Forefront Unified Access Gateway 2010
  • Microsoft Forefront Unified Access Gateway 2010 Service Pack 1
  • Microsoft Forefront Unified Access Gateway 2010 Service Pack 2
Keywords: 
kbqfe kbfix kbexpertiseinter kbsurveynew kbbug KB2812389

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com