Bad Request (Request Header too long) – Kerberos Authentication Problem with Active Directory

Saw this error pop up irregularly at a client’s site recently. It appeared as though something in Excel Calculation Services (ECS) was causing the Internet Explorer Request header to grow to a size that was larger than what the Web Front End server was prepared to handle.

I did not get an opportunity to investigate the root cause (deadlines were looming) but I believe the error was Kerberos-related (as it appeared after we enabled Kerberos) and that it had something to do with the 20-odd windows open to related ECS pages from the same site (perhaps the Kerberos ticket grew to a size that stopped it from working). The problem went away by using a new browser window, so the issue was session-based as well.

Finally it appeared to affect a specific account which was often used for testing, and as a result was a member of a lot of groups in AD.

After adjusting both of these registry values from 32767 to 65534 (FFFE) the problem went away.

The 2 registry keys to fix this issue are:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters\

MaxFieldLength
16384
64 – 65534 (64kb) bytes
Sets an upper limit for each header. See MaxRequestBytes. This limit translates to approximately 32k characters for a URL.

MaxRequestBytes
16384
256 – 16777216 (16MB) bytes
Determines the upper limit for the total size of the Request line and the headers.
Its default setting is 16KB. If this value is lower than MaxFieldLength, the MaxFieldLength value is adjusted.

There’;s a comprehensive post that exactly describes this issue and outlines the reasoning behind the changes – worth a read… http://blogs.technet.com/b/surama/archive/2009/04/06/kerberos-authentication-problem-with-active-directory.aspx

Have a great weekend!

Advertisements

About Brad Saide

I'm a SharePoint consultant. I'm also slowly going bald, seem to have a permanent spare tyre around my waist and enjoy socialising with friends over a beer or 10. The last 2 may possibly be related. Started working with SharePoint when the first version was in limited beta release (participated in the Technology Adoption Program while at Woolworths) and have been committed to the adoption of the technology as a business enabler ever since.
This entry was posted in Uncategorized. Bookmark the permalink.

4 Responses to Bad Request (Request Header too long) – Kerberos Authentication Problem with Active Directory

  1. Brad says:

    A reader (Kaydee) asked a question about this blog entry:
    And how exactly do you use this, to get rid of the bad request thing.?
     
    I\’m not sure I understand the question, but I\’ll try and explain – In SharePoint, the Request header is limited to a set size. by default it is set to 16384 bytes (about 16kb) – if you change it so it\’s bigger, the oversizes request header generated by Excel Calculation Services stop being a problem. Likewise for the maximum request bytes – this is the maximum request that can be made to the server (although I do not think it would ever get to 16 meg you can certainly set it this high, no matter how heavy the pages are…).
     
    And a hint for Kaydee: If you ask a question, make sure your MSN settings allow someone to respond 😉

  2. Mario says:

    We are having this exact same issue, and I found your blog post very helpful.The entries MaxFieldLength and MaxRequestBytes do not exist under HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\HTTP\\Parameters\\ on my machine.Should I go ahead and create these entries and assign them your recommended values ?Thanks,Mario

  3. Brad says:

    Hi Mario (sorry it took so long to respond).You can certainly try and apply the registry settings indicated in the article – especially if you are adding them, taking them away will revert the system to its original behaviour. Let me know how you go…Cheers – Brad

  4. Pingback: | SharePoint 2010 Blank Page / “400 Bad Request” error for random individual users

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s