IIS sends “HTTP 400 Bad Request – Request header too long” error page when the header size in the HTTP request is bigger than the limit set in the web server.
A common scenario in which this error message shows up is the requests made by users who are member of many Active Directory groups. When the website is configured to use Kerberos authentication, information about group memberships are stored in WWW-Authenticate
header. Therefore, being member of too many groups may result oversize request header.
Getting an Schannel error? Check these posts out.
How to solve “HTTP 400 Bad Request – Request header too long” error
An obvious solution is to decrease the number Active Directory groups users are member of. However, this is a not a practical solution in many companies due to user count and membership hierarchy.
A better solution is to decrease MaxFieldLength
and MaxRequestBytes
values. MaxFieldLength
is the upper limit for each header. MaxRequestBytes
is the upper limit for the total size of the Request line and the headers.
How to calculate optimum MaxFieldLength and MaxRequestBytes values?
There is a formula to calculate optimum values for these fields. This formula uses MaxTokenSize
value as input. In this page, it is recommended to set MaxTokenSize
to a value lower than 48,000 bytes.
The maximum allowed value of
MaxTokenSize
is 65,535 bytes. If you are using Kerberos for IPSEC key management, the limit of 65,536 bytes. However, because of HTTP’s base64 encoding of authentication context tokens, we do not recommend that you set themaxTokenSize
registry entry to a value larger than 48,000 bytes.Starting with Windows Server 2012, the default value of the
Active Directory Maximum Limits – ScalabilityMaxTokenSize
registry entry is 48,000 bytes.
How to set MaxFieldLength and MaxRequestBytes values?
These values are stored in the following Registry container: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters
. As a rule of thumb, make sure to backup registry before making any changes.
Recommendation for MaxFieldLength and MaxRequestBytes values
As a best practice;the smaller the values, the better for IIS kernel memory usage and security.The best approach would be gradually increasing these values and keeping an eyeon 400 errors in IIS logs. The minimum values that don’t cause 400 errors would be the best values.
In general, I wouldn’t recommend them to be setmore than 32K. Here is a Microsoft article that sets MaxFieldLength
and MaxRequestBytes
fields to 32K as a security recommendation.
References
- How to configure IIS to support large AD Token with Group Policy
- MaxTokenSize and Windows 8 and Windows Server 2012
- Problems with Kerberos authentication when a user belongs to many groups
- Http.sys registry settings for Windows
- Kerberos Authentication Problem with Active Directory
- Configuring Request Limits
- Getting Kerberos token size with Powershell
Can you make a simpler explanation? Also, what if you don’t own the website or know how to do any of what the instructions say?
Hola este encabezamiento no me deja pagar el esctracto de mi cuenta serfinanza olimpica
que hago
What help is this to solve the problems? More details are needed for average person to fix the computer.
i have a bad request error and i have tried to get rid of it. help please
Please can you repeat this in layman’s terms so that the rest of us can understand what you are saying and how to fix it. I do not know what all the Kerberos and token size and other things are. There has to be some simple way to fix it. It cost too much to call a fix it man . I make cards for the sick people at Church every month who can’t get out and I depend on being able to use this feature.