ADFS 400 request header too long

  • 310 Views
  • Last Post 07 April 2017
kool posted this 06 April 2017

Greetings folks,

We see this error from time to time where ADFS auth attempts fail with "The size of the request headers is too long". This article talks about it in general:
https://support.microsoft.com/en-us/help/2020943/-http-400---bad-request-request-header-too-long-error-in-internet-information-services-iis
and this article in reference to ADFS:
https://technet.microsoft.com/en-us/library/adfs2-troubleshooting-user-reported-symptoms(v=ws.10).aspx.
The suggested solution is to increase the allowable header and request size as described in:
https://support.microsoft.com/en-us/help/820129/http.sys-registry-settings-for-windows.

So my question to you esteemed folks is this: has anyone increased this size to, say, 32kb? Any concerns around increasing the max header/request sizes?

Thanks,

Eric


Forum info: http://www.activedir.org
Problems unsubscribing? Email admin@xxxxxxxxxxxxxxxx

Order By: Standard | Newest | Votes
kool posted this 06 April 2017

I forgot to mention that this is with ADFS 2.x. On the WS16 box where I have installed the ADFS 4 role the MaxRequestBytes parameter is already set to 32k. Curiously, the MaxFieldLength parameter is not set. Is this latter setting not necessary?

Thanks again,

Eric

show

joe posted this 07 April 2017

I think it is ok to change this but it is also probably more of a bandaid than an actual fix. All you are really doing is changing the mode of failure but that might be acceptable from a user perspective.
The reason the request headers get too big is that ADFS has a "feature" where it generates a dynamically named cookie as part of certain login flows (typically with an external IDP). If this cookie is issued by never cleared in a subsequent request, it will sit around in the browser's session memory until that goes away. There are a number of "broken" authentication flow scenarios that can occur that will cause the cookie to be issued by never cleared so that's typically when this problem occurs.
If you set the web server to allow the larger headers, you'll likely make the error 400 go away but you may still have broken logins. What will happen is that the web browsers will eventually stop sending all the cookie data in the request. Different browsers have different max request headers sizes so they will all crap out in different ways at different thresholds.
I think at one point we had issues with this and created a simple HTTP module (which you can still use for ADFS v2 since it runs on IIS) that would look for these cookies and clear them. This runs the risk of clearing a cookie that might be needed since it is not easy to tell which ones are good to delete. Sadly, you can't use this technique with later versions of ADFS due to the web app architecture change but it might still provide some relief now.
I'm not sure if this really helped or not. :)
Joe K.


show

kool posted this 07 April 2017

Hi Joe,

 

Thanks for the thorough explanation! I also realized that increasing the header/request size could just result in things breaking further downstream. Fortunately

we don’t see this error too often. I’m in the process of upgrading to ADFS 4.0 so it seems that there isn’t much point in worrying about this problem. I’m sure there will be a whole raft of new surprises in ADFS 4.0.

 

More on ADFS in another post.

 

Thanks,

 

    Eric

 

show

Close