Home » IIS » HTTP 400 Bad Request (Request header too long) (Solved)

HTTP 400 Bad Request (Request header too long) (Solved)

IIS sends “HTTP 400 Bad Request – Request header too long” error page when the header size in the HTTP request is bigger than the limit set in the web server.

A common scenario in which this error message shows up is the requests made by users who are member of many Active Directory groups. When the website is configured to use Kerberos authentication, information about group memberships are stored in WWW-Authenticate header. Therefore, being member of too many groups may result oversize request header.

Getting an Schannel error? Check these posts out.

How to solve “HTTP 400 Bad Request – Request header too long” error 

An obvious solution is to decrease the number Active Directory groups users are member of. However, this is a not a practical solution in many companies due to user count and membership hierarchy. 

A better solution is to decrease MaxFieldLength and MaxRequestBytes values. MaxFieldLength is the upper limit for each header. MaxRequestBytes is the upper limit for the total size of the Request line and the headers.

How to calculate optimum MaxFieldLength and MaxRequestBytes values?

There is a formula to calculate optimum values for these fields. This formula uses MaxTokenSize value as input. In this page, it is recommended to set MaxTokenSize to a value lower than 48,000 bytes. 

The maximum allowed value of MaxTokenSize is 65,535 bytes. If you are using Kerberos for IPSEC key management, the limit of 65,536 bytes. However, because of HTTP’s base64 encoding of authentication context tokens, we do not recommend that you set the maxTokenSize registry entry to a value larger than 48,000 bytes.

Starting with Windows Server 2012, the default value of the MaxTokenSize registry entry is 48,000 bytes.

Active Directory Maximum Limits – Scalability

How to set MaxFieldLength and MaxRequestBytes values?

These values are stored in the following Registry container:  HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. As a rule of thumb, make sure to backup registry before making any changes.

Recommendation for MaxFieldLength and MaxRequestBytes values

As a best practice;the smaller the values, the better for IIS kernel memory usage and security.The best approach would be gradually increasing these values and keeping an eyeon 400 errors in IIS logs. The minimum values that don’t cause 400 errors would be the best values.

In general, I wouldn’t recommend them to be setmore than 32K. Here is a Microsoft article that sets MaxFieldLength and MaxRequestBytes fields to 32K as a security recommendation.

References

Ned Sahin

Blogger for 20 years. Former Microsoft Engineer. Author of six books. I love creating helpful content and sharing with the world. Reach me out for any questions or feedback.
Categories IIS

5 thoughts on “HTTP 400 Bad Request (Request header too long) (Solved)”

  1. Please can you repeat this in layman’s terms so that the rest of us can understand what you are saying and how to fix it. I do not know what all the Kerberos and token size and other things are. There has to be some simple way to fix it. It cost too much to call a fix it man . I make cards for the sick people at Church every month who can’t get out and I depend on being able to use this feature.

    Reply

Leave a Comment