Loading...

Knowledge Center


Size of a request header field exceeds server limit (when using Kerberos Authentication)
Technical Articles ID:  KB60332
Last Modified:  10/09/2013
Rated:


Environment

Email and Web Security Appliance software 5.x

Problem

Multi-group environments potentially have an issue with Transparent Authentication when using Kerberos for the chosen authentication method because the HTTP header length size can affect Kerberos authentication. Typically, the Appliance can handle a header length size of up to 8KB. Anything larger generates the following error message during HTTP transparent authentication:

Bad Request
Your browser sent a request that this server could not understand.
Size of a request header field exceeds server limit

 

Cause

The reason for the large Kerberos token size is due to the way that the Active Directory environment is configured. To check to see the size of the Kerberos Token, Install the following tool on the Active Directory server: http://www.microsoft.com/downloads/details.aspx?FamilyID=4A303FA5-CF20-43FB-9483-0F0B0DAE265C&displaylang=en.

Use the tool to obtain the token size for the keytab user created for the Appliance keytab file. The output of the tool shows you the keytab user token size. For example, MaxToken (complete context) 12827 (here, the token size (12827) is greater than 8KB).

Solution

The Appliance is only part of the issue, and modifying the Appliance configuration to accept a larger token size for Kerberos can cause security issues that will leave the Apache service that handles the transparent authentication vulnerable.

To resolve this issue make changes to the Active Directory server to reduce the token size of the keytab user. These changes only affects the keytab user. If required, consult your Active Directory administrator for assistance:

Obtain the userAccountControl value for the keytab user
  1. Run an ldif report or use adsiedit.msc from Microsoft Support Tools. An example of the userAccountControl value would be 66048.
    Asdsie.msc is usually found in the $\Program Files\Support Tools directory on the Active Directory server.
  2. If you do not have the support tools installed, download them for the relevant Windows Server.
    For more information go to  http://technet.microsoft.com/en-us/library/cc755948.aspx.
     
Changing the userAccountControl value to reduce the Token size
The Appliance does not require the Privilege Attribute Certificate (PAC) information that the userAccountControl includes by default.

More information on the PAC is found at: http://support.microsoft.com/kb/832572.

For information on the useraccountcontrol bits see: http://msdn.microsoft.com/en-us/library/cc200366.aspx.
  1. Enable NA (ADS_UF_NO_AUTH_DATA_REQUIRED).  According to the article previously mentioned, the 7th bit in the 32-bit binary value must be enabled to implement this.
    For example, if the userAccountControl value is 66048. the binary value is 00000000000000010000001000000000.
  2. Change the 7th bit. In our example this would alter the userAccountControl value to 00000010000000010000001000000000 = 33620480.
  3. After the new binary number is known, convert the binary value back to a decimal value:
    For example, 00000010000000010000001000000000 = 33620480
  4. Record the decimal number because it will be used later.
  5. Delete the existing keytab user from the Active Directory. Ensure the user is completely removed from the Active Directory.
  6. Recreate the keytab user in Active Directory . Ensure the userAccountControl as the same as previously (for our example userAccountControl = 66048).
  7. Using adsiedit.msc change the userAccountControl value so that the 7th bit is enabled as worked out earlier. (for our example, userAccountControl = 33620480).
  8. Check the token size using tokensz to see whether the value is less than 8KB in size .
  9. Generate the keytab. For more information, see KB54816.
  10. After all configurations for Kerberos are complete, authentication will work.

Rate this document

Did this article resolve your issue?

Please provide any comments below

Glossary of Technical Terms


Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.
United States - English
© 2003-2013 McAfee, Inc.