REPO 404 Error when clicking Infrastructure tab in vCAC 6.0.1

    • Opening the Infrastructure tab fails when the administrator is a member of several hundred groups
      When using Active Directory and SSO, an IaaS administrator who is a member of many groups might be unable to display the Infrastructure tab. Attempting to do so may yield one of the following errors:

      • Bad Request – Request Too Long – HTTP Error 400. The size of the request headers is too long.
      • Service Unreachable – A required service cannot be reached at the expected address. Contact your system administrator for assistance. Reference error REPO404.

Workaround

      : The resolution is to increase the token limitations as in the following example.

1. Determine and set the maximum Kerberos token size. To determine the correct Kerberos maximum token size for your deployment, use the following guideline:

Kerberos MaxTokenSize = 1200 + 40d + 8s (bytes)

This formula uses the following values:

      • d — The number of domain local groups a user is a member of plus the number of universal groups outside the user’s account domain that the user is a member of plus the number of groups represented in security ID (SID) history.
      • s — The number of security global groups that a user is a member of plus the number of universal groups in a user’s account domain that the user is a member of.
      • 1200 — The estimated value for ticket overhead. This value can vary depending on factors such as DNS domain name length and client name.

2. Determine if you need to modify the registry entry. If the token size that you calculate by using the above formula is less than 12,000 bytes (default size), you do not have to modify the MaxTokenSize registry value on domain clients. If the value is more than 12,000 bytes, adjust the MaxTokenSize registry value (reference http://support.microsoft.com/kb/263693). If you need to change the Kerberos MaxTokenSize value, modify the following registry entry:

HKLM\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
MaxTokenSize, REG_DWORD,
<value> (maximum value is 65535)

3. Determine and set the correct HTTP maximum request size for your deployment by using the following guideline, where T is the Kerberos MaxTokenSize as set above:

MaxFieldLength = (4/3 * T bytes) + 200
MaxRequestBytes = (4/3 * T bytes) + 200

Set MaxFieldLength and MaxRequestBytes to the calculated values, as in the following example where they are set to the permitted maximum value:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters
MaxFieldLength DWORD 65534
MaxRequestBytes DWORD 16777216

For related information about issues with Kerberos authentication when a user belongs to many groups, see the following support notes:
http://support.microsoft.com/kb/327825
http://support.microsoft.com/kb/263693
http://support.microsoft.com/kb/2020943

3 Replies to “REPO 404 Error when clicking Infrastructure tab in vCAC 6.0.1”

  1. Ryan, I a bit confused about the calculations listed in Step #3.
    You list MaxFieldLength and MaxRequestBytes with the same equations.

    but in the example using the maximum MaxTokenSize size of 65535, the 2 fields are different sizes. The numbers in the examples are different from what I come up with. (4/3 * 65535) + 200 = 87379.
    Thanks!

  2. I see you don’t monetize vmtocloud.com, don’t waste your
    traffic, you can earn additional cash every month with new monetization method.

    This is the best adsense alternative for any type
    of website (they approve all websites), for more info simply search
    in gooogle: murgrabia’s tools

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.