-
Título
SSO on Web Portal Returns Error, "400 Bad Request" -
Descrição
For some users the Single Sign-On (SSO) request for the web portal is answered with a "400 Bad Request" error message. The problem occurs with users being members of a large number of Active Directory (AD) groups. -
Causa
This is an issue with IIS using Windows Authentication and Kerberos, not specific to One Identity Manager. As described by Microsoft here, HTTP 400 Bad Request (Request Header too long) responses to HTTP requests, the size of the WWW-Authenticate header field increases with group size and if a user is a member of more than 120 groups, exceeds the MaxFieldLength and MaxRequestBytes on IIS as configured on the server registry.
-
Resolução
Please follow the resolution proposed by Microsoft here: HTTP 400 Bad Request (Request Header too long) responses to HTTP requests . As of writing, this means one and only one of the following:
- Decrease the number of AD groups the user is a member of.
- Configure MaxFieldLength and MaxRequestBytes according to the number of groups.
- Change to NTLM authentication (please note, this might not be acceptable depending on security requirements of the environment.)
Please note: One Identity does not provide support for problems that arise from improper modification of the registry. The Windows registry contains information critical to your computer and applications. Make sure you back up the registry before modifying it. For more information on the Windows Registry Editor and how to back up and restore it, refer to Microsoft Article ID 256986 "Description of the Microsoft Windows registry" at Microsoft Support.