- We are facing an issue with our WHFB enrollment process.
- The ADFS server Windows Intergrated login process is throwing error: HTTP 400 - Bad Request (Request header too long).
- The issue is limited to one user at this point of time
- ADFS IDPinitiatedSignon page working on IE but not on Edge/Google Chrome with the above error when attempting kerberos authentication
- The user is part of 56 groups.
- SAM account name is of 20 characters (Migrated from a separate forest)
Asked
Active
Viewed 2,754 times
0
IshRaj
- 81
- 1
- 9
1 Answers
1
Then IE is probably falling back to NTLM, which is bad in itself.
The solution for IIS can be found on: https://support.microsoft.com/en-us/help/2020943/http-400-bad-request-request-header-too-long-response-to-http-request
Gerrit
- 1,552
- 8
- 8
-
1The nested groups were the culprit here. The token size was as per recommendations from MSFT 48K , but the token size was way above that for delegation purposes. This script helped a lot https://gallery.technet.microsoft.com/scriptcenter/Check-for-MaxTokenSize-520e51e5 – IshRaj Jun 12 '20 at 05:30
-
That's a nice script. Glad that you solved it. – Gerrit Jun 12 '20 at 08:26