Environment
Novell Identity Manager 4.0.1 Advanced Edition
Situation
After configure User Application to use Single Sign On (SSO) with a kerberos token from Active Directory, the login works for most users, but fails with some users generating a 400 error.
Resolution
So to fix the issue, you may need to change the maxHttpHeaderSize in the server.xml file for jboss and restart jboss. Below is an example of the maxHttpHeaderSize being set to 16KB in the file.
The file to change is under jboss/server/IDMProv/deploy/jbossweb.sar/server.xml . An excerpt from connector XML already with the parameter follows:
<Connector protocol="HTTP/1.1" SSLEnabled="true"
port="443" address="${jboss.bind.address}"
maxHttpHeaderSize="16384"
scheme="https" secure="true" clientAuth="false"
keystoreFile="/opt/novell/idm/jre/lib/security/cacerts"
keystorePass="changeit" sslProtocol = "TLS"
keyAlias="ssl certificateip"/>
The file to change is under jboss/server/IDMProv/deploy/jbossweb.sar/server.xml . An excerpt from connector XML already with the parameter follows:
<Connector protocol="HTTP/1.1" SSLEnabled="true"
port="443" address="${jboss.bind.address}"
maxHttpHeaderSize="16384"
scheme="https" secure="true" clientAuth="false"
keystoreFile="/opt/novell/idm/jre/lib/security/cacerts"
keystorePass="changeit" sslProtocol = "TLS"
keyAlias="ssl certificateip"/>
Cause
The token being returned from Active Directory was 10kb. However, the default JBOSS buffer for the httpheader is only 8kb. So the httpHeader was not being created correctly and the login fails with a 400 error.
Additional Information
A 400 type error indicates that the web page is not being properly formed. Using a tool like iehttpheaders you can view the http header information as the page is being formed and save or copy and paste it to a file.
After doing that on the issue, we found the "Authorization: Negotiate <some big long ugly 10000 byte token>" was over 10kb if you highlight the complete token in a text editor.
GET /IDMProv/ HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-ms-application, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8)
Accept-Encoding: gzip, deflate
Host: expiamcui.hughes.com:8444
Connection: Keep-Alive
Cookie: JSESSIONID=44DD24E1E2EE9H72H9602A014E11B053A
Authorization: Negotiate <some big long ugly 10000 byte token>
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-ms-application, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8)
Accept-Encoding: gzip, deflate
Host: expiamcui.hughes.com:8444
Connection: Keep-Alive
Cookie: JSESSIONID=44DD24E1E2EE9H72H9602A014E11B053A
Authorization: Negotiate <some big long ugly 10000 byte token>
HTTP/1.1 400 Bad Request
Server: Apache-Coyote/1.1
Transfer-Encoding: chunked
Date: Mon, 23 Apr 2012 19:18:14 GMT
Connection: close
Server: Apache-Coyote/1.1
Transfer-Encoding: chunked
Date: Mon, 23 Apr 2012 19:18:14 GMT
Connection: close