forge

HTTP 400, Kerberos, Bad Request, MaxTokenSize, TokenSz

We turned on Kerberos for a client this past weekend and one of the gifts that we got was that some of the users couldn’t log into the portal. Other users weren’t able to post a form to the server. They would get a HTTP 400 Bad Request.

Initially it was thought that the Kerberos ticket might be getting larger than the MaxTokenSize (See KB327825). After I chatted with my friend Laura Hunter I was pointed to the TokenSz utility. It will show you the token size of the current user. With this information I found that for the most part the users had token sizes of ~3K. One user had a token size of 8194 bytes. So knowing that the token sizes were much smaller than the 12K limit that MaxTokenSize defaults to I had to do some more digging.

Ultimately, I found that HTTP.SYS has a smallish default buffer size for incoming requests and large Kerberos tickets can actually exceed the available size for this buffer. Luckily KB2020943 shows you the registry settings you can change to increase the buffer size of HTTP.SYS. There’s a reboot required after the change but after that the users were able to login. For our environment we felt like a MaxFieldLength of 25K was plenty of headroom for our needs.