400 Error on Some Users Logging into User Application with Single Sign On SSO

  • 7005181
  • 25-Apr-2012
  • 26-Apr-2012

Environment

Novell Identity Manager 4.0.1 Advanced Edition

Situation

After configure User Application to use Single Sign On (SSO) with a kerberos token from Active Directory, the login works for most users, but fails with some users generating a 400 error. 
 

Resolution

So to fix the issue, you may need to change the maxHttpHeaderSize in the server.xml file for jboss and restart jboss.  Below is an example of the maxHttpHeaderSize being set to 16KB in the file.

The file to change is under jboss/server/IDMProv/deploy/jbossweb.sar/server.xml . An excerpt from connector XML already with the parameter follows:

     <Connector protocol="HTTP/1.1" SSLEnabled="true"
          port="443" address="${jboss.bind.address}"
          maxHttpHeaderSize="16384"
          scheme="https" secure="true" clientAuth="false"
          keystoreFile="/opt/novell/idm/jre/lib/security/cacerts"
          keystorePass="changeit" sslProtocol = "TLS"
          keyAlias="ssl certificateip"/>

Cause

The token being returned from Active Directory was 10kb.   However, the default JBOSS buffer for the httpheader is only 8kb.   So the httpHeader was not being created correctly and the login fails with a 400 error.
 
 

Additional Information

A 400 type error indicates that the web page is not being properly formed.  Using a tool like iehttpheaders you can view the http header information as the page is being formed and save or copy and paste it to a file.
 
After doing that on the issue, we found the "Authorization: Negotiate   <some big long ugly 10000 byte token>" was over 10kb if you highlight the complete token in a text editor.
 
 
GET /IDMProv/ HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-ms-application, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8)
Accept-Encoding: gzip, deflate
Host: expiamcui.hughes.com:8444
Connection: Keep-Alive
Cookie: JSESSIONID=44DD24E1E2EE9H72H9602A014E11B053A
Authorization: Negotiate   <some big long ugly 10000 byte token>
 
HTTP/1.1 400 Bad Request
Server: Apache-Coyote/1.1
Transfer-Encoding: chunked
Date: Mon, 23 Apr 2012 19:18:14 GMT
Connection: close

Feedback service temporarily unavailable. For content questions or problems, please contact Support.