Some client connections through ThreatPulse receive SAML error: HTTP 400 Bad Request

When Auth Connector (BCCA) is used as the Identity Provider (IDP) for SAML and attempts to authenticate, some users receive the HTTP 400 Bad Request response (the size of the request headers is too long).

HTTP 400 Bad Request

Web Security Service using SAML Authentication 

Checking the user's group membership may indicate a large number of groups and that groups have other groups nested inside them. A large number of groups increases the size of the Kerberos blob in the request.

From a packet capture that was taken on the client computer (using a tool such as HTTPwatch or Firebug), the Kerberos blob in the HTTP request is very large. The blob size is more than the default MaxTokenSize value on the IIS server (by default this value is 12,000 bytes or 12k) where the Auth Connector is running. This data comes under the Authorization header; in this request the total request is 17485 bytes, of which 16k was the Kerberos blob:



 

First, reduce the size of the Kerberos blob for the client by cleaning up the user's group membership. See option d in the following Microsoft blog article:
http://blogs.technet.com/b/surama/archive/2009/04/06/kerberos-authentication-problem-with-active-directory.aspx

To allow larger request headers, increase the MaxFieldLength and MaxRequestBytes values on the Windows AD Server where the Auth Connector is installed.

The following Microsoft article describes the issue:
http://support.microsoft.com/kb/2020943

The following Microsoft article describes how to change the registry keys for MaxFieldLength and MaxRequestBytes:
http://support.microsoft.com/kb/820129

Solution:

Increase the values only enough to allow the request. In the example screen shot, it was sufficient to raise both values to 20k to permit the request. The maximum is 64k, which is not recommended because of security considerations.