Control Compliance Suite Web Dashboards showing HTTP 400 Error, Bad Request.
search cancel

Control Compliance Suite Web Dashboards showing HTTP 400 Error, Bad Request.

book

Article ID: 157549

calendar_today

Updated On:

Products

Control Compliance Suite Control Compliance Suite Standards Server

Issue/Introduction

Some users are seeing the HTTP 400 error message when accessing the CCS web dashboards. Sometimes pages do load when the user hits refresh but very often they are not displayed correctly, i.e. wrong layout due to CSS files missing etc. If the page does load correctly then the next link they click will probably show the HTTP 400 error again. Some users can't log on at all and are presented with a HTTP 400 error only.

Users are correctly added to AD groups and have the same and appropriate rights within CCS and when the page does load their correct AD user is displayed at the top of the screen. Other users in the same AD group (i.e. have the same rights within CCS) are no affected.

 

After enabling verbose logging for the HTTP API you're see the following in the IIS logs:

To verify if you are indeed looking at the same issue - enabled IIS HTTP API logging - let this microsoft kb "fix it" for you http://support.microsoft.com/kb/820729 - it adds a few parameters in the registry and generates a log - you need to restart the http service for it to take effect. The log goes to %SystemRoot%\System32\LogFiles\httperr1.log and shows the following:

 

#Software: Microsoft HTTP API 2.0
#Version: 1.0
#Date: 2012-12-28 16:12:45
#Fields: date time c-ip c-port s-ip s-port cs-version cs-method cs-uri sc-status s-siteid s-reason s-queuename
2012-12-28 16:12:44 ##.##.##.## 1792 ##.##.##.## 80 HTTP/1.1 GET /CCS_Web/HomePage.aspx 400 -
RequestLength -

If you see the same error, read on for the solution.

 

Cause

IIS can't handle large Kerberos ticket sizes (by default). The Kerberos ticket size can be large due to the active directory users that are trying to authenticate being a member of many active directory groups -the more groups, the larger the Kerberos ticket. The issue might show for some users but not for others as they belong to different groups.
 

Resolution

The issue is with IIS and not Symantec code. It is fixed by adding two keys to the registry on the CCS application server relating to IIS, these are the keys to be added:

MaxFieldLength and possibly set it to 65534 (the maximum value)
MaxRequestBytes and possibly set it 16777216 (the maximum value)
 

Warning: Adding/changing these values from its default comes with a warning from Microsoft. For more information on the keys please see https://support.microsoft.com/kb/820129
 

Also, the Microsoft KB suggests that restarting the related IIS services is sufficient for the change to take effect however it has been reported that sometimes a reboot of the whole system seems to be needed for the keys to take effect!