You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: support/developer/webapps/iis/www-authentication-authorization/http-bad-request-response-kerberos.md
+10-8Lines changed: 10 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,20 +1,20 @@
1
1
---
2
-
title: HTTP 400 error responses to HTTP requests
2
+
title: HTTP 400 Error Responses to HTTP Requests
3
3
description: Works around an HTTP 400 error that the HTTP request header is too long.
4
-
ms.date: 01/10/2025
4
+
ms.date: 03/24/2025
5
5
ms.custom: sap:WWW Authentication and Authorization\Windows Authentication
6
6
ms.reviewer: ivanpash, paulboc
7
7
---
8
8
# HTTP 400 Bad Request (Request Header too long) responses to HTTP requests
9
9
10
-
When an HTTP request that needs Kerberos authentication is sent to a website that's hosted on Internet Information Services (IIS) and is configured to use Kerberos authentication, the HTTP request header would be very long. This article helps you work around the HTTP 400 error that occurs when the HTTP request header is too long.
10
+
When an HTTP request that contains a Kerberos authentication ticket is sent to a website that's hosted on Internet Information Services (IIS) and is configured to use Windows Integrated Authentication, the HTTP request header can have a considerable length that exceeds the maximum size of such headers accepted by the IIS server by default. This article helps you work around the HTTP 400 error that occurs when the HTTP request header is too long.
11
11
12
12
_Original product version:_ Windows Server 2016
13
13
_Original KB number:_ 2020943
14
14
15
15
## Symptoms
16
16
17
-
An HTTP request that needs Kerberos authentication is sent from a browser to a website that's hosted on IIS. The website is configured to use Kerberos authentication. However, instead of receiving the expected webpage, you receive an error message that resembles the following one:
17
+
When attempting to access a web application hosted on IIS that requires Windows Integrated Authentication to grant users access to its resources, the client (browser) will submit an HTTP request that includes an authentication header (header name: `Authorization`) that uses either NTLM or Kerberos as authentication protocols. In the scenario where a Kerberos authentication token is sent from a browser to a website that's hosted on IIS, instead of receiving the expected webpage, you receive an error message that resembles the following one:
18
18
19
19
> HTTP 400 - Bad Request (Request header too long)
20
20
@@ -24,28 +24,30 @@ This response could be generated by any HTTP request that includes Windows Remot
24
24
25
25
This issue may occur if the user is a member of many Active Directory user groups.
26
26
27
-
The HTTP request to the server contains the Kerberos token in the `WWW-Authenticate` header. The header size increases together with the number of user groups. If the HTTP header or packet size increases past the limits that are configured on the server, the server may reject the request and send an error message as the response.
27
+
The HTTP request to the server contains the Kerberos token in the `Authorize` header. The size of the Kerberos token contained within the HTTP header increases together with the number of user groups for the authenticating user. If the HTTP header or packet size increases past the limits that are configured on the server, the server may reject the request and send an error message as the response.
28
28
29
29
## Workaround 1: Decrease the number of Active Directory groups
30
30
31
31
Decrease the number of Active Directory groups that the user is a member of.
32
32
33
33
## Workaround 2: Set MaxFieldLength and MaxRequestBytes registry entries
34
34
35
-
Increase the settings for the `MaxFieldLength` and the `MaxRequestBytes` registry entries on the server so that the user's request headers don't exceed these values. To determine the appropriate settings, use the following calculations:
35
+
Increase the settings for the `MaxFieldLength` and the `MaxRequestBytes` registry entries on the IIS server so that the user's request headers don't exceed these values. To determine the appropriate settings, use the following calculations:
36
36
37
37
1. Calculate the size of the user's Kerberos token by using the formula described in [Problems with Kerberos authentication when a user belongs to many groups](../../../../windows-server/windows-security/kerberos-authentication-problems-if-user-belongs-to-groups.md).
38
38
39
39
2. Set the value of `MaxFieldLength` and `MaxRequestBytes` on the server to 4/3 * T bytes, where T is the user's token size in bytes. HTTP encodes the Kerberos token by using base64 encoding.
40
40
41
41
> [!NOTE]
42
-
> This replaces every three bytes in the token with four base64-encoded bytes. Changes that are made to the registry do not take effect until you restart the HTTP service. Additionally, you may have to restart any related services, such as IIS services.
42
+
> This replaces every three bytes in the token with four base64-encoded bytes. Changes that are made to the registry don't take effect until you restart the HTTP service. Additionally, you'll need to restart any related services, such as IIS services.
43
43
44
44
Depending on your application environment, you might also work around this problem by configuring the website to use Windows NT LAN Manager (NTLM) instead of Kerberos. Some application environments require Kerberos authentication to be used for delegation. We consider Kerberos authentication to be more secure than NTLM. And we recommend that you don't disable Kerberos authentication before you consider the security and delegation ramifications.
45
45
46
46
## More information
47
47
48
-
By default, there is no `MaxFieldLength` registry entry. This entry specifies the maximum size limit of each HTTP request header. The `MaxRequestBytes` registry entry specifies the upper limit for the total size of the Request line and the headers. Typically, this registry entry is configured together with the `MaxRequestBytes` registry entry. If the `MaxRequestBytes` value is lower than the `MaxFieldLength` value, the `MaxFieldLength` value is adjusted. In large Active Directory environments, users may experience logon failures if the values for both these entries aren't set to a sufficiently high value.
48
+
By default, there's no `MaxFieldLength` registry entry. This entry specifies the maximum size limit of each HTTP request header. The `MaxRequestBytes` registry entry specifies the upper limit for the total size of the Request line and the headers. Typically, this registry entry is configured together with the `MaxRequestBytes` registry entry. If the `MaxRequestBytes` value is lower than the `MaxFieldLength` value, the `MaxFieldLength` value is adjusted. In large Active Directory environments, users may experience logon failures if the values for both these entries aren't set to a sufficiently high value.
49
+
50
+
The size of `MaxFieldLength` and `MaxRequestBytes` shouldn't exceed the maximum allowed values for these fields that are defined in [Http.sys registry settings for Windows](../health-diagnostic-performance/httpsys-registry-windows.md).
49
51
50
52
For IIS versions shipped with Windows Server 2016 and later, the `MaxFieldLength` and `MaxRequestBytes` registry keys are located in the following subkey:
0 commit comments