Http 400 error recurrence experiment and its solution

Introduction to the problem

Whenever an HTTP error code is encountered that is 400, a request initiated on behalf of the client does not conform to some of the server's restrictions on the request, or there is a certain error in the request itself.

At present, 400 errors often occur in the user authentication phase, and when a user is from an excessively large domain, the domain information is sent to the server during the Kerberos authentication phase, causing the request field to exceed the upper limit of the server setting.

Recurring problem
Change Registry Hkey_local_machine\system\currentcontrolset\services\http\parameters
MaxFieldLength = (hex) to reboot the system HTTP service (requires Administrator privileges) with the following command
Net Stop http
Net start HTTP to reboot the IIS service with the following command
IISRESET access to server Web pages through a browser

Debugging Methods

The 400 error is generated from the HTTP level, and server-side HTTP.sys detects that any request that is incompatible with its configuration will respond directly to the 400 error to the client, while the C:\Windows\System32\LogFiles\HTTPERR\ Logging in the Httperr.log file indicates the reason for the failure.

Http error Log

#Software: Microsoft HTTP API 2.0

#Version: 1.0

#Date: 2012-09-05 05:01:22

#Fields:d ate time c-ip c-port s-ip s-port cs-version cs-method cs-uri sc-statuss-siteid S-reason s-queuename

2012-09-0505:01:22:: 1%0 20567:: 1%0 Get/400-fieldlength http/1.1

You can also trace the return code via IE Developer tool.

Open ie, press F12 to open developer Tool

Click the Startcapture button on the Network tab

Browse the Web to see the return code

Solution
programme I

Reduce the length of the field sent in the request to conform to the server's requirements. If the problem is that the user joins too many domain groups, it is necessary to exit from some groups to reduce the length of the request.

Programme two

Change the server settings and change the size of the MaxFieldLength and MaxRequestBytes settings in the registry.

How big should be set up specifically.

You can calculate the size of the token according to the way this link is provided http://support.microsoft.com/kb/327825

The size of the MaxFieldLength and MaxRequestBytes is then set to 4/3 of the token size.

If you do not want to calculate, you can install a Fiddler on the client, clear IE cache, and then send a request and then view the statistics. How many bytes are sent altogether can be viewed in the following ways.

Programme III

Use NTLM instead of Kerberos authentication so that the domain group information will not be sent, but this depends on the actual environmental requirements and must not be changed to NTLM if the Kerberos delegation feature is needed. In addition Kerberos relative to NTLM is a more secure way of authentication, so the scheme should be more cautious when choosing.

The following link contains a detailed description of the corresponding registry key in HTTP.sys, which you can use to see how Windows can control the HTTP protocol layer's behavior through those configurations.

Http.sysregistrysettingsforiis

Http://support.microsoft.com/kb/820129/en-us

reference Documentation

http://support.microsoft.com/kb/2020943

Http://support.microsoft.com/kb/820129/en-us

http://support.microsoft.com/kb/327825