Olav Aukan Getting information off the Internet is like taking a drink from a fire hydrant…

24Nov/10

400 Bad Request (Header Field Too Long) when using Kerberos authentication

A client was having a problem with his SharePoint installation a while back that really confused me at first. Some users were unable to access their SharePoint 2007 intranet after Kerberos authentication had been configured. Instead of being logged in automatically as expected they received a nize "This page cannot de displayed" in Internet Explorer. The error returned by IIS was "440 Bad Request (Header Field Too Long)".

After some research I stumbled upon this blog post: HTTP/1.1 400 Bad Request (Header Field Too Long) that pointed me to KB-820129. Basically the problem boils down to the difference in the way NTML and Kerberos authentication is performed. With NTLM authentication the client basically sends his username and password to the server which then checks the users memberships by looking up the user in Active Directory. With Kerberos authentication the client basically gets this information from Active Directory himself sends a "token" to the server that contains information about the users memberships. The more AD groups that user is a member of, the bigger the token, and at some point it can become so large that IIS rejects the whole request.

This explained why only some users were having problems, as we discovered that the affected users had dozens of AD memberships, and those AD groups were nested inside other AD groups etc. The solution for us was to modify the following registry keys on all the SharePoint web front end servers in the farm:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters\MaxFieldLength = 65534
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters\MaxRequestBytes = 65534

After the registry modifications have been done the HTTP service and all related IIS services will have to be restarted, as described in the bottom of KB-820129:

To restart the HTTP service, type and all related IIS services, follow these steps:

  1. Click Start, click Run, type Cmd and then click OK.
  2. At the command prompt, type net stop http at a command prompt and then press ENTER.
  3. At the command prompt, type net start http at a command prompt and then press ENTER.
  4. At the command prompt, type net stop iisadmin /y at a command prompt and then press ENTER.

    Note: Any IIS services that depend on the IIS Admin Service service will also be stopped. Notice the IIS services that are stopped when you stop the IIS Admin Service service. You will restart each service in the next step.

  5. Restart the IIS services that were stopped in step 4. To do this, type net start servicename at the command prompt and then press ENTER. In the command, servicename is the name of the service that you want to restart. For example, to restart the World Wide Web Publishing Service service, type net start "World Wide Web Publishing Service", and then press ENTER.