"HTTP 400 - Bad Request (Request Header too long)" response to HTTP request


Symptoms


An HTTP request that needs Kerberos authentication is sent from a browser to a website that's hosted on Internet Information Services (IIS). The website is configured to use Kerberos authentication. However, instead of receiving the expected webpage, you receive an error message that resembles the following: 


Note This response could be generated by any HTTP request that includes Windows Remote Management (WinRM).

Cause


This issue may occur if the user is a member of many Active Directory user groups.

The HTTP request to the server contains the Kerberos token in the WWW-Authenticate header. The header size increases together with the number of user groups. If the HTTP header or packet size increases past the limits that are configured on the server, the server may reject the request and send an error message as the response.

Workaround


To work around this problem, use one of the following methods.

Method 1

Decrease the number of Active Directory groups that the user is a member of.
 

Method 2

Increase the settings for the MaxFieldLength and the MaxRequestBytes registry entries on the server so that the user's request headers don't exceed these values. To determine the appropriate settings, use the following calculations:

  1. Calculate the size of the user's Kerberos token by using the formula that's described in the following Knowledge Base article:

    327825 Problems with Kerberos authentication when a user belongs to many groups

  2. Set the value of MaxFieldLength and MaxRequestBytes on the server to 4/3 * T, where T is the user's token size in bytes. HTTP encodes the Kerberos token by using base64 encoding.

    Note This replaces every three bytes in the token with four base64-encoded bytes. Changes that are made to the registry do not take effect until you restart the HTTP service. Additionally, you may have to restart any related services, such as IIS services.

Depending on your application environment, you might also be able to work around this problem by configuring the website to use NTLM instead of Kerberos. However, some application environments require Kerberos authentication to be used for delegation. We consider Kerberos authentication to be more secure than NTLM. Therefore, we recommend that you do not disable Kerberos authentication before you consider the security and delegation ramifications of doing this.

More Information


By default, there is no MaxFieldLength registry entry. This entry specifies the maximum size limit of each HTTP request header. The MaxRequestBytes registry entry specifies the upper limit for the total size of the Request line and the headers. Typically, this registry entry is configured together with the MaxRequestBytes registry entry. If the MaxRequestBytes value is lower than the MaxFieldLength value, the MaxFieldLength value is adjusted. In large Active Directory environments, users may experience logon failures if the values for both these entries are not set to a sufficiently high value.

For Internet Information Services (IIS) 6.0 and later, the MaxFieldLength and MaxRequestBytes registry keys are located at the following subkey:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters

Set the key values as shown in the following table:

Name 

 Value Type

 Value Data

 MaxFieldLength

 DWORD

 (4/3 * T bytes) + 200 

 MaxRequestBytes

 DWORD

 (4/3 * T bytes) + 200


You can also set the registry keys to their maximum values, as shown in the next table. You should consider all potential security ramifications if he makes any changes to the registry settings.

Name 

Value Type

Value Data 

 MaxFieldLength

 DWORD

 65534

 MaxRequestBytes

 DWORD

 16777216

 


Note If MaxFieldLength is set to its maximum value of 64 KB, the MaxTokenSize registry value should be set to 3/4 * 64 = 48KB. For more information about the MaxTokenSize setting, see Knowledge Base article 327825.