Apache Bad Request "Size of a request header field exceeds server limit" with Kerberos SSO
Solution 1
My gut says you've got a very large security token, possibly because the user is a member of a large number of groups. The AD Kerberos implementation is going to provide Apache with a Privilege Attribute Certificate (PAC) by default. This structure can be large if the user is a member of a significant number of groups. You can use the tokensz.exe tool to see the user's token size.
If this is the problem you can modify the UserAccountControl attribute of the user's account to prevent the PAC from being sent.
You may be able to get away with modifying your /etc/krb5.conf file to reference the KDC as kdc = tcp/kdc.name.here. This problem can occur if the PAC causes the token to be too large for a UDP datagram, but forcing the communication to the KDC with TCP is a possible workaround, too.
Changing that value on 1,000 users isn't difficult for your AD admins if it solves your problem.
Solution 2
I found another solution, though I'm not sure if it really works. Apache Docs states that for big packages I'll have to set LimitRequestFieldSize and/or LimitRequestLine .
The thing is that if you want to set the value of LimitRequestLine to anything higher than 8KB then you'll have to modify the source and recompile Apache, as 8KB is the fixed maxSize (http://httpd.apache.org/docs/2.2/mod/core.html#limitrequestline).
I don't know for sure if this method works, because I reinstalled apache from our own repository on a second server later. It seems that this was a different package version as the problem didn't occur there.
Solution 3
I had this error happening on a Drupal 7 site in Safari on Mac and found that closing the browser windows and clearing the cache of the browser, quitting the browser, opening it back up and reloading the page worked to discontinue the error which has only happened this one time.
Bad Request Your browser sent a request that this server could not understand. > Size of a request header field exceeds server limit. Cookie /n
Solution 4
In case anyone hits this problem with mod_proxy_ajp, take a look at: From which Apache version onward is LimitRequestFieldSize no longer hardcoded to 8k max?
Related videos on Youtube
10 : 12
![[Solved] Maximum request length exceeded in Visual Studio 2017/ 2019](https://i.ytimg.com/vi/XcgR75VQvwc/hq720.jpg?sqp=-oaymwEcCNAFEJQDSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLBhMPw2tp74PSLvsQncJl4up4PcEw)
04 : 32
06 : 43
03 : 43
15 : 35
Aurelin
Updated on September 18, 2022Comments
-
Aurelin over 1 year
I'm setting up an SSO for Active Directory users through a website that runs on an Apache (Apache2 on SLES 11.1), and when testing with Firefox it all works fine. But when I try to open the website in Internet Explorer 8 (Windows 7), all I get is
"Bad Request
Your browser sent a request that this server could not understand.
Size of a request header field exceeds server limit.
Authorization: Negotiate [ultra long string]"
My vhost.cfg looks like this:
<VirtualHost hostname:443> LimitRequestFieldSize 32760 LimitRequestLine 32760 LogLevel debug <Directory "/data/pwtool/sec-data/adbauth"> AuthName "Please login with your AD-credentials (Windows Account)" AuthType Kerberos KrbMethodNegotiate on KrbAuthRealms REALM.TLD KrbServiceName HTTP/hostname Krb5Keytab /data/pwtool/conf/http_hostname.krb5.keytab KrbMethodK5Passwd on KrbLocalUserMapping on Order allow,deny Allow from all </Directory> <Directory "/data/pwtool/sec-data/adbauth"> Require valid-user </Directory> SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /etc/apache2/ssl.crt/hostname-server.crt SSLCertificateKeyFile /etc/apache2/ssl.key/hostname-server.key </VirtualHost>I also made sure that the cookies are deleted and tried several smaller values for LimitRequestFieldSize and LimitRequestLine.
Another thing that seems weird to me is that even with LogLevel debug I won't get any logs about this. The log's last line is
ssl_engine_kernel.c(1879): OpenSSL: Write: SSL negotiation finished successfullyDoes anyone have an idea about that?
-
Aurelin over 11 yearsHey Gani, I'm not sure. I wrote my "not-sure-if-works"-solution here serverfault.com/a/426599/111458 . Please excuse my late answer. If you still need the solution, try my answer and let me/us know if it worked =)
-
-
Aurelin about 12 years(Uh damn, accidentally deleted the comment. I'm still sleeping, it seems) Well, so I may ask them whether they would change that, but I doubt it due to the org. structure. And it's not that my project is super important, so.. I'll try the modification of /etc/krb5.conf first.. Thanks. Btw, any idea why this problem only occurs in IE, but not in Opera nor Firefox?
-
Aurelin about 12 yearsI tried to modify /etc/krb5.conf, but that doesn't fix it at all. Another thing I just figured out is that your link describes only a solution for Win2k3 Servers, but we run Win2k8 RC2. I forgot to mention that, sorry.
-
Aurelin about 12 yearsWell.. I have to say it was a bit weird
-
Colin 't Hart over 11 yearsSounds like a "Microsoft" solution to me: Reboot and hope the problem goes away.
-
John Gardeniers over 11 years@Colin, regardless of how much this may sound like a "Microsoft" answer, many times that is exactly what is required. When clearing a browser's cache many browsers fail to empty the in-memory cache, hence the need to restart the browser. It certainly applies to Mac versions of Firefox, Chrome and Camino. I never use Safari so I can't comment on that one.
