4

I am working on an ASP.NET Core application which consumes a GraphQL endpoint via RestSharp to retrieve the data. This is an intranet type application, deployed on a Windows 2016 IIS Server and we are utilizing Windows Authentication. The problem we are encountering is that a certain user, who belongs to a large number of active directory groups is getting intermittent 431 Request headers too long errors.

I have attempted the following:

  1. I am setting the IISDefaults in the startup.cs for both the application and service:

    services.AddAuthentication(IISDefaults.AuthenticationScheme);

  2. I am passing UseDefaultCredentials in the RestRequest

    var client = new RestClient(endpoint);
var request = new RestRequest(Method.POST);
request.UseDefaultCredentials = true;
request.AddHeader("content-type", "application/json");
request.AddParameter("application/json", data, ParameterType.RequestBody);
IRestResponse response = client.Execute(request);
return response.Content;

  3. Set the registry entries for MaxFieldLength and MaxRequestBytes to the max allowed.

Log from stdout:

info: Microsoft.AspNetCore.Server.Kestrel[17] Connection id "0HLIABLA41UKH" bad request data: "Request headers too long." Microsoft.AspNetCore.Server.Kestrel.Core.BadHttpRequestException: Request headers too long. at Microsoft.AspNetCore.Server.Kestrel.Core.BadHttpRequestException.Throw(RequestRejectionReason reason) at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.Http1Connection.TakeMessageHeaders(ReadOnlySequence1 buffer, SequencePosition& consumed, SequencePosition& examined) at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.Http1Connection.ParseRequest(ReadOnlySequence1 buffer, SequencePosition& consumed, SequencePosition& examined) at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.Http1Connection.TryParseRequest(ReadResult result, Boolean& endConnection) at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication1 application) at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequestsAsync[TContext](IHttpApplication1 application) info: Microsoft.AspNetCore.Hosting.Internal.WebHost[1]

Llazar
  • 3,167
  • 3
  • 17
  • 24
Jonas Wik
  • 212
  • 2
  • 11

3 Answers3

9

This was resolved by setting the MaxRequestHeadersTotalSize Kestrel option. This defaults to 32768.

        public static IWebHostBuilder CreateWebHostBuilder(string[] args) =>
            WebHost.CreateDefaultBuilder(args)
                   .UseStartup<Startup>()
                   .UseKestrel(options =>
                   {
                      options.Limits.MaxRequestHeadersTotalSize = 1048576;
                   });
Jonas Wik
  • 212
  • 2
  • 11
3

Jonas is on the right track and helped solved the similar situation that I was having with an ASP.NET Core web application. However, after reviewing the Microsoft docs on the Kestrel server, I found that Jonas' method needs to be modified slightly if using ASP.NET Core 2.2 (thanks to @cristi71000's comment). Most of the credit should still go to @Jonas Wik for pointing us all in the right direction.

He suggests chaining the UseKestrel() helper method when creating and configuring a web host builder. However, according to the Microsoft docs for ASP.NET Core 2.2, CreateDefaultBuilder() is already calling UseKestrel() behind the scenes. When additional configuration is needed, the helper method ConfigureKestrel() should be used to further configure Kestrel. Updating Jonas' answer for ASP.NET Core 2.2 would look like this:

    public static IWebHostBuilder CreateWebHostBuilder(string[] args) =>
        WebHost.CreateDefaultBuilder(args)
            .UseStartup<Startup>()
            .ConfigureKestrel((context, options) =>
            {
                options.Limits.MaxRequestHeadersTotalSize = 1048576;
            });

Full disclosure: I have done both and do not notice a difference or any adverse side-effects. However, it's best to stay in line with their documented practices to ensure nothing goes off the rails in future development!

How to Use Kestrel in ASP.NET Core Apps (ASP.NET Core v2.1)

How to Use Kestrel in ASP.NET Core Apps (ASP.NET Core v2.2)

Community
  • 1
  • 1
Blair Allen
  • 579
  • 4
  • 9
  • This is for ASP.NET Core 2.2. Jonas's answer was for ASP.NET Core 2.1 – cristi71000 Oct 01 '19 at 07:10
  • @cristi71000 Thanks for the input. I have updated my answer. I did not see anything in the question or Jonas' answer to indicate a specific version of ASP.NET Core, but after looking at the docs I do see that the procedure for configuring Kestrel does change from v2.1 to v2.2. I modified my answer to hopefully point other readers in the right direction if they are targeting v2.2. – Blair Allen Oct 11 '19 at 18:15
0

This can sometimes happen because your AD account is in a lot of security groups. If you reduce the number of groups you are in, your Windows auth header should reduce in size, allowing you to make the request.

If you can't leave any of the security groups you are in, you'll have to use the other answer's method.

This is often reported as HTTP 400.

https://support.microsoft.com/en-au/help/327825/problems-with-kerberos-authentication-when-a-user-belongs-to-many-grou

Nacht
  • 3,342
  • 4
  • 26
  • 41