- Opening the Infrastructure tab fails when the administrator is a member of several hundred groups
When using Active Directory and SSO, an IaaS administrator who is a member of many groups might be unable to display the Infrastructure tab. Attempting to do so may yield one of the following errors:- Bad Request – Request Too Long – HTTP Error 400. The size of the request headers is too long.
- Service Unreachable – A required service cannot be reached at the expected address. Contact your system administrator for assistance. Reference error REPO404.
Workaround
- : The resolution is to increase the token limitations as in the following example.
1. Determine and set the maximum Kerberos token size. To determine the correct Kerberos maximum token size for your deployment, use the following guideline:
Kerberos MaxTokenSize
= 1200 + 40d + 8s (bytes)
This formula uses the following values:
- d — The number of domain local groups a user is a member of plus the number of universal groups outside the user’s account domain that the user is a member of plus the number of groups represented in security ID (SID) history.
- s — The number of security global groups that a user is a member of plus the number of universal groups in a user’s account domain that the user is a member of.
- 1200 — The estimated value for ticket overhead. This value can vary depending on factors such as DNS domain name length and client name.
2. Determine if you need to modify the registry entry. If the token size that you calculate by using the above formula is less than 12,000 bytes (default size), you do not have to modify the MaxTokenSize
registry value on domain clients. If the value is more than 12,000 bytes, adjust the MaxTokenSize
registry value (reference http://support.microsoft.com/kb/263693). If you need to change the Kerberos MaxTokenSize
value, modify the following registry entry:
HKLM\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
<value> (maximum value is 65535)
MaxTokenSize, REG_DWORD,
3. Determine and set the correct HTTP maximum request size for your deployment by using the following guideline, where T is the Kerberos MaxTokenSize
as set above:
MaxFieldLength = (4/3 * T bytes) + 200
MaxRequestBytes = (4/3 * T bytes) + 200
Set MaxFieldLength
and MaxRequestBytes
to the calculated values, as in the following example where they are set to the permitted maximum value:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters
MaxFieldLength DWORD 65534
MaxRequestBytes DWORD 16777216
For related information about issues with Kerberos authentication when a user belongs to many groups, see the following support notes:
http://support.microsoft.com/kb/327825
http://support.microsoft.com/kb/263693
http://support.microsoft.com/kb/2020943
Ryan, I a bit confused about the calculations listed in Step #3.
You list MaxFieldLength and MaxRequestBytes with the same equations.
but in the example using the maximum MaxTokenSize size of 65535, the 2 fields are different sizes. The numbers in the examples are different from what I come up with. (4/3 * 65535) + 200 = 87379.
Thanks!
Hi Mark, We just make them both the max size to resolve this one.
I see you don’t monetize vmtocloud.com, don’t waste your
traffic, you can earn additional cash every month with new monetization method.
This is the best adsense alternative for any type
of website (they approve all websites), for more info simply search
in gooogle: murgrabia’s tools