IIS sends “HTTP 400 Bad Request – Request header too long” error page when the header size in the HTTP request is bigger than the limit set in the web server.
A common scenario in which this error message shows up is the requests made by users who are member of many Active Directory groups. When the website is configured to use Kerberos authentication, information about group memberships are stored in
WWW-Authenticate header. Therefore, being member of too many groups may result oversize request header.
Getting an Schannel error? Check these posts out.
How to solve “HTTP 400 Bad Request – Request header too long” error
An obvious solution is to decrease the number Active Directory groups users are member of. However, this is a not a practical solution in many companies due to user count and membership hierarchy.
A better solution is to decrease
MaxFieldLength is the upper limit for each header.
MaxRequestBytes is the upper limit for the total size of the Request line and the headers.
How to calculate optimum MaxFieldLength and MaxRequestBytes values?
The maximum allowed value of
MaxTokenSizeis 65,535 bytes. If you are using Kerberos for IPSEC key management, the limit of 65,536 bytes. However, because of HTTP’s base64 encoding of authentication context tokens, we do not recommend that you set the
maxTokenSizeregistry entry to a value larger than 48,000 bytes.
Starting with Windows Server 2012, the default value of theActive Directory Maximum Limits – Scalability
MaxTokenSizeregistry entry is 48,000 bytes.
How to set MaxFieldLength and MaxRequestBytes values?
These values are stored in the following Registry container:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. As a rule of thumb, make sure to backup registry before making any changes.
Recommendation for MaxFieldLength and MaxRequestBytes values
As a best practice;the smaller the values, the better for IIS kernel memory usage and security.The best approach would be gradually increasing these values and keeping an eyeon 400 errors in IIS logs. The minimum values that don’t cause 400 errors would be the best values.
In general, I wouldn’t recommend them to be setmore than 32K. Here is a Microsoft article that sets
MaxRequestBytes fields to 32K as a security recommendation.
- How to configure IIS to support large AD Token with Group Policy
- MaxTokenSize and Windows 8 and Windows Server 2012
- Problems with Kerberos authentication when a user belongs to many groups
- Http.sys registry settings for Windows
- Kerberos Authentication Problem with Active Directory
- Configuring Request Limits
- Getting Kerberos token size with Powershell