Category: Internet Information Services

A domain user attempts to browse to a website hosted on Internet Information Services (IIS).  The website is configured to use Kerberos authentication.  Instead of receiving the expected web page, the user is presented with an error message similar to the following:

HTTP 400 – Bad Request (Request header too long)

This issue may occur when the user is a member of too many Active Directory user groups. When a user is a member of a large number of active directory groups the Kerberos authentication token for the user increases in size. The HTTP request that the user sends to the IIS server contains the Kerberos token in the WWW-Authenticate header, and the header size increases as the number of groups goes up.  If the HTTP header or packet size increases past the limits configured in IIS, IIS may reject the request and send this error as the response.

Resolutions :

  1. Decrease the number of Active Directory groups that the user is a member of.
  2. Modify the MaxFieldLength and MaxRequestBytes registry keys . They are located at HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters.

MaxFieldLength     DWORD     65534

MaxRequestBytes  DWORD     16777216

For more information, please check the Microsoft KB :

Using a Windows 2008 R2 Server that runs IIS and that is part of a NLB cluster, the following error may occur in the System Log:

NLB cluster []: Timer starvation has been detected. This might be due to a denial of service attack or a very high server load. During this period, some connections might fail. If this problem recurs frequently, analyze the threat and take appropriate measures and/or add more servers to the cluster. An informational event log entry will be logged when the attack has subsided. Event 105, NLB

This Microsoft article shows that the TCP Chimney Offload does not work together with Network Load Balancing:

In Windows 2008 R2, TCP Chimney Offload is set to automatic by default. To disable it run the following command :

netsh int tcp set global chimney=disabled