Solutions
ForgeRock Identity Platform
Does not apply to Identity Cloud

WDSSO/Kerberos authentication fails in AM (All versions) with an HTTP 400 Bad Request response

Last updated Nov 23, 2021

The purpose of this article is to provide assistance if Windows Desktop SSO/Kerberos™ authentication fails in AM with an HTTP 400 Bad Request response.


3 readers recommend this article

Symptoms

The browser hangs when attempting WDSSO/Kerberos authentication and you see one of the following responses:

HTTP 400 - Bad Request (Request Header too long)

HTTP 400 - Bad Request

This may only affect some users, especially those who are members of a large number of Active Directory® groups.

Recent Changes

N/A

Causes

AM does not put a limit on the token size. This issue occurs when the Kerberos token being sent by the browser (in the Authorization: Negotiate section of the HTTP request header) is bigger than the token's MaxTokenSize setting. This can happen when a user is a member of a large number of Active Directory groups (typically more than 120 universal groups), which results in a much larger token.

The token has a fixed maximum size (MaxTokenSize) depending on the version of Microsoft® Windows® used to build the token. Transport protocols such as remote procedure call (RPC) and HTTP rely on the MaxTokenSize value when they allocate buffers for authentication operations. 

See Problems with Kerberos authentication when a user belongs to many groups for further information.

Solution

You can resolve this issue by setting the MaxTokenSize registry entry to a larger value on each computer that participates in the Kerberos authentication process, including the client computers.

See Problems with Kerberos authentication when a user belongs to many groups for further information on setting the MaxTokenSize registry entry.

Workaround

You can workaround this issue by increasing the max header size in the web application container. You should increase it to a size that will accommodate your expected token sizes. You can capture a HTTP trace when authentication fails to help you determine the size of the token being passed in the header. Otherwise, increasing it to 16KB is a good starting point.

Note

This option may consume more memory; you should test this to determine the optimal size in your environment.

For example, for Tomcat:

  1. Edit the server.xml file and amend the maxHttpHeaderSize value, for example, to increase it to 16KB: <Connector port="443" maxHttpHeaderSize="16384" protocol="HTTP/1.1" SSLEnabled="true" If this attribute is not present, you should add it with the new value.

See Apache Tomcat 9 Configuration Reference: HTTP Connector for further information.

See Also

How do I troubleshoot Kerberos and WDSSO issues in AM (All versions)?

How do I enable debug logging for troubleshooting Kerberos and WDSSO issues in AM (All versions)?

Configuring and troubleshooting WDSSO in AM

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.