SecureAuth IdP Version affected: All
A 400 error is seen by the end user when trying to access a SecureAuth realm that has Windows Authentication enabled. Not all users see this behavior. The user might be a member of several Active Directory groups.
When a user logs into a workstation on the domain, a kerberos authentication ticket is created which contains the user's Active Directory group information. When the browser (i.e. IE) is performing pass through authentication (i.e. Windows Authentication aka IWA), it sends this kerberos ticket in the header of the request so that IIS can consume the user information. If the user is a member of many AD groups, their kerberos ticket may exceed that allowable limit specified on the IIS server side (in this case, the SecureAuth appliance).
On the SecureAuth appliance, 2 registry entries must be created and/or modified, then the HTTP service needs to be restarted. The following steps describe the process in detail:
1. On the SecureAuth appliance, open the registry editor (run -> regedit.exe)
2. Navigate to: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters
3. Right-click the Pane to the right and select New -> DWORD value
4. Enter "MaxFieldLength" for the name and "65534" for the value. Select Decimal as the Base, then click OK
5. Create another DWORD value in the same way, with the name MaxRequestBytes and use the same value, then click OK
6. Close the registry editor and open the command prompt under the administrator context (i.e. right-click, run as administrator)
7. Type the following command: net stop http
8. Hit Enter and wait for the command to finish processing
9. Type the following command: net start http
10. Hit Enter and wait for the command to finish processing
11. Type the following command: iisreset
12. Hit Enter and wait for the command to finish processing
13. Test again. IIS should now allow for a larger header in the request.