HTTP 400 Bad Request (Request Header too long) responses to HTTP requests
When an HTTP request that needs Kerberos authentication is sent to a website that's hosted on Internet Information Services (IIS) and is configured to use Kerberos authentication, the HTTP request header would be very long. This article helps you work around the HTTP 400 error that occurs when the HTTP request header is too long.
Original product version: Windows Server 2016
Original KB number: 2020943
An HTTP request that needs Kerberos authentication is sent from a browser to a website that's hosted on IIS. The website is configured to use Kerberos authentication. However, instead of receiving the expected webpage, you receive an error message that resembles the following one:
HTTP 400 - Bad Request (Request header too long)
This response could be generated by any HTTP request that includes Windows Remote Management (WinRM).
This issue may occur if the user is a member of many Active Directory user groups.
The HTTP request to the server contains the Kerberos token in the
WWW-Authenticate header. The header size increases together with the number of user groups. If the HTTP header or packet size increases past the limits that are configured on the server, the server may reject the request and send an error message as the response.
Workaround 1: Decrease the number of Active Directory groups
Decrease the number of Active Directory groups that the user is a member of.
Workaround 2: Set MaxFieldLength and MaxRequestBytes registry entries
Increase the settings for the
MaxFieldLength and the
MaxRequestBytes registry entries on the server so that the user's request headers don't exceed these values. To determine the appropriate settings, use the following calculations:
Calculate the size of the user's Kerberos token by using the formula described in the following article:
Problems with Kerberos authentication when a user belongs to many groups.
Set the value of
MaxRequestByteson the server to 4/3 * T bytes, where T is the user's token size in bytes. HTTP encodes the Kerberos token by using base64 encoding.
This replaces every three bytes in the token with four base64-encoded bytes. Changes that are made to the registry do not take effect until you restart the HTTP service. Additionally, you may have to restart any related services, such as IIS services.
Depending on your application environment, you might also work around this problem by configuring the website to use Windows NT LAN Manager (NTLM) instead of Kerberos. Some application environments require Kerberos authentication to be used for delegation. We consider Kerberos authentication to be more secure than NTLM. And we recommend that you don't disable Kerberos authentication before you consider the security and delegation ramifications.
By default, there is no
MaxFieldLength registry entry. This entry specifies the maximum size limit of each HTTP request header. The
MaxRequestBytes registry entry specifies the upper limit for the total size of the Request line and the headers. Typically, this registry entry is configured together with the
MaxRequestBytes registry entry. If the
MaxRequestBytes value is lower than the
MaxFieldLength value, the
MaxFieldLength value is adjusted. In large Active Directory environments, users may experience logon failures if the values for both these entries aren't set to a sufficiently high value.
For IIS 6.0 and later, the
MaxRequestBytes registry keys are located at the following sub key:
Set the key values as shown in the following table:
|Name||Value Type||Value Data|
|MaxFieldLength||DWORD||(4/3 * T bytes) + 200|
|MaxRequestBytes||DWORD||(4/3 * T bytes) + 200|
You can also set the registry keys to their maximum values, as shown in the next table. Consider all potential security ramifications before you make any changes to the registry settings.
|Name||Value Type||Value Data|
|MaxFieldLength||DWORD||65536 (Dec) or 10000 (Hex)|
|MaxRequestBytes||DWORD||16777216 (Dec) or 1000000 (Hex)|
Changing these registry keys should be considered to be extremely dangerous. These keys allow larger HTTP packets to be sent to IIS. This, in turn, may cause Http.sys to use more memory. Therefore, such changes can increase the computer's vulnerability to malicious attacks.
MaxFieldLength is set to its maximum value of 64 KB, the
MaxTokenSize registry value should be set to 3/4 * 64 = 48 KB. For more information about the
MaxTokenSize setting, see Problems with Kerberos authentication when a user belongs to many groups.