Last Modified: 10/09/2013
Your browser sent a request that this server could not understand.
Size of a request header field exceeds server limit
Use the tool to obtain the token size for the keytab user created for the Appliance keytab file. The output of the tool shows you the keytab user token size. For example, MaxToken (complete context) 12827 (here, the token size (12827) is greater than 8KB).
The Appliance is only part of the issue, and modifying the Appliance configuration to accept a larger token size for Kerberos can cause security issues that will leave the Apache service that handles the transparent authentication vulnerable.
To resolve this issue make changes to the Active Directory server to reduce the token size of the keytab user. These changes only affects the keytab user. If required, consult your Active Directory administrator for assistance:
- Run an ldif report or use adsiedit.msc from Microsoft Support Tools. An example of the userAccountControl value would be 66048.
Asdsie.msc is usually found in the $\Program Files\Support Tools directory on the Active Directory server.
- If you do not have the support tools installed, download them for the relevant Windows Server.
For more information go to http://technet.microsoft.com/en-us/library/cc755948.aspx.
The Appliance does not require the Privilege Attribute Certificate (PAC) information that the userAccountControl includes by default.
More information on the PAC is found at: http://support.microsoft.com/kb/832572.
For information on the useraccountcontrol bits see: http://msdn.microsoft.com/en-us/library/cc200366.aspx.
- Enable NA (ADS_UF_NO_AUTH_DATA_REQUIRED). According to the article previously mentioned, the 7th bit in the 32-bit binary value must be enabled to implement this.
For example, if the userAccountControl value is 66048. the binary value is 00000000000000010000001000000000.
- Change the 7th bit. In our example this would alter the userAccountControl value to 00000010000000010000001000000000 = 33620480.
- After the new binary number is known, convert the binary value back to a decimal value:
For example, 00000010000000010000001000000000 = 33620480
- Record the decimal number because it will be used later.
- Delete the existing keytab user from the Active Directory. Ensure the user is completely removed from the Active Directory.
- Recreate the keytab user in Active Directory . Ensure the userAccountControl as the same as previously (for our example userAccountControl = 66048).
- Using adsiedit.msc change the userAccountControl value so that the 7th bit is enabled as worked out earlier. (for our example, userAccountControl = 33620480).
- Check the token size using tokensz to see whether the value is less than 8KB in size .
- Generate the keytab. For more information, see KB54816.
- After all configurations for Kerberos are complete, authentication will work.