IIS 6.0 returns "Request Header too Long" with big Kerberos tickets

TheMSsForum.com: The Microsoft Software Forum

I'm testing an upgrade of web applications from IIS5 to IIS6. The apps
all use Windows Integrated Authentication.

IIS6 (Win 2003 Server) consistently returns 400-Bad Request (Request
Header too long). Using WFetch, I could see it does not like the big
Kerberos tickets our network users have. Forcing WFetch to
authenticate NTLM works on IIS6 and I can see it returning the page as
expected. Both NTLM and the big Kerberos tickets work on IIS5.

When we've had problems in the past with big Kerberos tickets, we've
been able to get around them with the suggested registry mods such
as...

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w3svc\parameters\MaxClient
RequestBuffer

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\MaxTokenSize.

However, nothing makes a difference with IIS6.

Has anyone experienced this?
Top

Re: IIS 6.0 returns "Request Header too Long" with big Kerberos tickets by David

David
Sat May 22 06:35:04 CDT 2004

For security reasons, the default header size limit defaults to 16K for both
IIS5 in W2KSP4 and IIS6, so I bet that without using MaxClientRequestBuffer,
your big Kerberos ticket won't work on IIS5, either.

MaxClientRequestBuffer is not used by IIS6.

See http://support.microsoft.com/?id=820129

You will have to tweak MaxRequestBytes to get same behavior as
MaxClientRequestBuffer. If the Kerberos ticket is one header line and it is
too large, you may also need to tweak MaxFieldLength. You make these change
at your own risk... I would bump the value just large enough for your use.

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Vincent Olivieri" <volivier@sprynet.com> wrote in message
news:58b3b422.0405211111.bab81cf@posting.google.com...
I'm testing an upgrade of web applications from IIS5 to IIS6. The apps
all use Windows Integrated Authentication.

IIS6 (Win 2003 Server) consistently returns 400-Bad Request (Request
Header too long). Using WFetch, I could see it does not like the big
Kerberos tickets our network users have. Forcing WFetch to
authenticate NTLM works on IIS6 and I can see it returning the page as
expected. Both NTLM and the big Kerberos tickets work on IIS5.

When we've had problems in the past with big Kerberos tickets, we've
been able to get around them with the suggested registry mods such
as...

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w3svc\parameters\MaxCli
ent
RequestBuffer

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\
MaxTokenSize.

However, nothing makes a difference with IIS6.

Has anyone experienced this?


Top

Re: IIS 6.0 returns "Request Header too Long" with big Kerberos tickets by volivier

volivier
Thu May 27 15:15:59 CDT 2004

Thanks David.

MaxRequestBytes and MaxFieldLength were what was needed. I bumped them
up enough to let the big kerberos ticket through + headroom for the
rest of the header.

-vao

"David Wang [Msft]" <someone@online.microsoft.com> wrote in message news:<udmCWQ$PEHA.1840@TK2MSFTNGP10.phx.gbl>...
> For security reasons, the default header size limit defaults to 16K for both
> IIS5 in W2KSP4 and IIS6, so I bet that without using MaxClientRequestBuffer,
> your big Kerberos ticket won't work on IIS5, either.
>
> MaxClientRequestBuffer is not used by IIS6.
>
> See http://support.microsoft.com/?id=820129
>
> You will have to tweak MaxRequestBytes to get same behavior as
> MaxClientRequestBuffer. If the Kerberos ticket is one header line and it is
> too large, you may also need to tweak MaxFieldLength. You make these change
> at your own risk... I would bump the value just large enough for your use.
>
> --
> //David
> IIS
> This posting is provided "AS IS" with no warranties, and confers no rights.
> //
> "Vincent Olivieri" <volivier@sprynet.com> wrote in message
> news:58b3b422.0405211111.bab81cf@posting.google.com...
> I'm testing an upgrade of web applications from IIS5 to IIS6. The apps
> all use Windows Integrated Authentication.
>
> IIS6 (Win 2003 Server) consistently returns 400-Bad Request (Request
> Header too long). Using WFetch, I could see it does not like the big
> Kerberos tickets our network users have. Forcing WFetch to
> authenticate NTLM works on IIS6 and I can see it returning the page as
> expected. Both NTLM and the big Kerberos tickets work on IIS5.
>
> When we've had problems in the past with big Kerberos tickets, we've
> been able to get around them with the suggested registry mods such
> as...
>
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w3svc\parameters\MaxCli
> ent
> RequestBuffer
>
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\
> MaxTokenSize.
>
> However, nothing makes a difference with IIS6.
>
> Has anyone experienced this?
Top