HTTP 400 Bad Request (Request header too long) (Solved)

IIS sends “HTTP 400 Bad Request – Request header too long” error page when the header size in the HTTP request is bigger than the limit set in the web server.

A common scenario in which this error message shows up is the requests made by users who are member of many Active Directory groups. When the website is configured to use Kerberos authentication, information about group memberships are stored in WWW-Authenticate header. Therefore, being member of too many groups may result oversize request header.

Getting an Schannel error? Check these posts out.

How to solve “HTTP 400 Bad Request – Request header too long” error 

An obvious solution is to decrease the number Active Directory groups users are member of. However, this is a not a practical solution in many companies due to user count and membership hierarchy. 

A better solution is to decrease MaxFieldLength and MaxRequestBytes values. MaxFieldLength is the upper limit for each header. MaxRequestBytes is the upper limit for the total size of the Request line and the headers.

How to calculate optimum MaxFieldLength and MaxRequestBytes values?

There is a formula to calculate optimum values for these fields. This formula uses MaxTokenSize value as input. In this page, it is recommended to set MaxTokenSize to a value lower than 48,000 bytes. 

The maximum allowed value of MaxTokenSize is 65,535 bytes. If you are using Kerberos for IPSEC key management, the limit of 65,536 bytes. However, because of HTTP’s base64 encoding of authentication context tokens, we do not recommend that you set the maxTokenSize registry entry to a value larger than 48,000 bytes.

Starting with Windows Server 2012, the default value of the MaxTokenSize registry entry is 48,000 bytes.

Active Directory Maximum Limits – Scalability

How to set MaxFieldLength and MaxRequestBytes values?

These values are stored in the following Registry container:  HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. As a rule of thumb, make sure to backup registry before making any changes.

Recommendation for MaxFieldLength and MaxRequestBytes values

As a best practice;the smaller the values, the better for IIS kernel memory usage and security.The best approach would be gradually increasing these values and keeping an eyeon 400 errors in IIS logs. The minimum values that don’t cause 400 errors would be the best values.

In general, I wouldn’t recommend them to be setmore than 32K. Here is a Microsoft article that sets MaxFieldLength and MaxRequestBytes fields to 32K as a security recommendation.

References

• How to configure IIS to support large AD Token with Group Policy
• MaxTokenSize and Windows 8 and Windows Server 2012
• Problems with Kerberos authentication when a user belongs to many groups
• Http.sys registry settings for Windows
• Kerberos Authentication Problem with Active Directory
• Configuring Request Limits
• Getting Kerberos token size with Powershell