Symptoms
Microsoft Forefront Unified Access Gateway (UAG) 2010 does not forward the HTTP cookie header to the published server when the total cookie header size in the client request exceeds 5,120 bytes (5 KB).
This problem is caused by a Forefront UAG HTTP header parsing function when the total length of all HTTP cookie headers in the request exceeds the limit of the Forefront UAG maximum cookie header length buffer. When this cookie header length value is too large, the function returns a NULL cookie header in the request that is forwarded to the published resource.
Resolution
To resolve this problem, install the service pack that is described in the following Microsoft Knowledge Base article:
2744025 Description of Forefront Unified Access Gateway 2010 Service Pack 3
Status
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Although the size of a single cookie that a web browser sends can be 4 KB, the total request cookie header size may be larger because this total size may include multiple cookies or even multiple cookie headers. In addition, external applications that create lots of individual cookies may generate the client HTTP request, and this increases the total HTTP cookie header size.
Active Directory Federation Services (AD FS) 2.0 claims authentication that is configured for a Forefront UAG trunk together with a published Microsoft SharePoint application also use claims authentication. This is true especially in the case in which there is a federated AD FS implementation. In this particular scenario, the total cookie header length can become fairly large. If the client request cookie header is not forwarded appropriately to the published AD FS or SharePoint application, the user may experience intermittent authentication failure or additional AD FS realm selection pages.
Because there may be multiple scenarios that result in a client request that has a total cookie header size greater than 5,120 bytes, Forefront UAG was changed to handle these requests appropriately.
References
For more information about Http.sys settings for Windows, go to the following Microsoft TechNet website:
Http.sys registry settings for WindowsFor more information about cookies in Internet Explorer, go to the following Microsoft TechNet website:
Number and size limits of a cookie in Internet ExplorerFor more information about the RFC 2109 specifications, go to the following websites:
Internet Engineering Task Force (IETF) RFC 2109 specifications
World Wide Web Consortium (W3C) RFC 2109For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates
