- Opening the Infrastructure tab fails when the administrator is a member of several hundred groups
When using Active Directory and SSO, an IaaS administrator who is a member of many groups might be unable to display the Infrastructure tab. Attempting to do so may yield one of the following errors:
- Bad Request – Request Too Long – HTTP Error 400. The size of the request headers is too long.
- Service Unreachable – A required service cannot be reached at the expected address. Contact your system administrator for assistance. Reference error REPO404.
- : The resolution is to increase the token limitations as in the following example.
1. Determine and set the maximum Kerberos token size. To determine the correct Kerberos maximum token size for your deployment, use the following guideline:
MaxTokenSize = 1200 + 40d + 8s (bytes)
This formula uses the following values:
- d — The number of domain local groups a user is a member of plus the number of universal groups outside the user’s account domain that the user is a member of plus the number of groups represented in security ID (SID) history.
- s — The number of security global groups that a user is a member of plus the number of universal groups in a user’s account domain that the user is a member of.
- 1200 — The estimated value for ticket overhead. This value can vary depending on factors such as DNS domain name length and client name.
2. Determine if you need to modify the registry entry. If the token size that you calculate by using the above formula is less than 12,000 bytes (default size), you do not have to modify the
MaxTokenSize registry value on domain clients. If the value is more than 12,000 bytes, adjust the
MaxTokenSize registry value (reference http://support.microsoft.com/kb/263693). If you need to change the Kerberos
MaxTokenSize value, modify the following registry entry:
HKLM\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters<value> (maximum value is 65535)
3. Determine and set the correct HTTP maximum request size for your deployment by using the following guideline, where T is the Kerberos
MaxTokenSize as set above:
MaxFieldLength = (4/3 * T bytes) + 200
MaxRequestBytes = (4/3 * T bytes) + 200
MaxRequestBytes to the calculated values, as in the following example where they are set to the permitted maximum value:
MaxFieldLength DWORD 65534
MaxRequestBytes DWORD 16777216
For related information about issues with Kerberos authentication when a user belongs to many groups, see the following support notes: