Share via

HTTP 400 - Bad Request (Request Header too long) -- error in Internet Information Services (IIS)

  • Article

https://support.microsoft.com/kb/2020943

 

MaxTokenSize: https://support.microsoft.com/kb/327825

 

By default, the MaxFieldLength registry entry is not present. This registry entry specifies the maximum size limit of each HTTP request header. The MaxRequestBytes registry entry specifies the upper limit for the total size of the Request line and the headers. Typically, this registry entry is configured together with the MaxRequestBytes registry entry. If the MaxRequestBytes value is lower than the MaxFieldLength value, the MaxFieldLength value is adjusted. In large Active Directory environments, users may experience logon failures if the values for both these entries are not set to a sufficiently high value.

For Internet Information Services (IIS) 6.0 and later, the MaxFieldLength and MaxRequestBytes registry keys are located at HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. Configure them as shown in the following table:

Name

Value Type

Value Data

MaxFieldLength

DWORD

(4/3 * T bytes) + 200

MaxRequestBytes

DWORD

(4/3 * T bytes) + 200

 

 

 

Alternatively you may set the registry keys to their maximum values shown below. The Administrator should consider all potential security ramifications if he makes any changes to the registry settings:

 

Name

Value Type

Value Data

MaxFieldLength

DWORD

65534

MaxRequestBytes

DWORD

16777216

 

 

 

IMPORTANT: Changing these registry keys can be considered extremely dangerous. These keys allow larger HTTP packets to be sent to IIS, which in turn may cause Http.sys to use more memory and may increase vulnerability to malicious attacks.

 

NOTE: If MaxFieldLength is configured to its maximum value of 64KB, then the MaxTokenSize registry value should be set to 3/4 * 64 = 48KB. For more information on the MaxTokenSize setting, please see the Microsoft knowledge base article KB327825 listed below.

Comments

  • Anonymous
    January 01, 2003
    @ Shirley: all those times you were using IE browser? If so only thing I can think of may be Kerberos authentication not working always?
  • Anonymous
    January 01, 2003
    FYI: this issue does not occur due to Kerberos. it occurs if e.g. a single user has more security groups assigned than the token size can handle.
    That means, that this issue can occur for some users and some not.

  • Anonymous
    March 22, 2014
    The error 400 message appears sometimes, and other times I can get right to the site I want. Sometimes the error appears while I'm on a site. What do you think?
  • Anonymous
    August 16, 2014
    I am having the same problem. I either get TNHTTP 400- Bad request. Maybe the Kreberos authenitication not working right.
  • Anonymous
    August 16, 2014
    I can't get my PCH. entries put in the computer! Please help me?