Apache Bad Request "Size of a request header field exceeds server limit" with Kerberos SSO

Posted by Aurelin on Server Fault See other posts from Server Fault or by Aurelin
Published on 2012-02-21T16:29:42Z Indexed on 2012/10/18 5:08 UTC
Read the original article Hit count: 774

I'm setting up an SSO for Active Directory users through a website that runs on an Apache (Apache2 on SLES 11.1), and when testing with Firefox it all works fine. But when I try to open the website in Internet Explorer 8 (Windows 7), all I get is

"Bad Request

Your browser sent a request that this server could not understand.

Size of a request header field exceeds server limit.

Authorization: Negotiate [ultra long string]"

My vhost.cfg looks like this:

<VirtualHost hostname:443>
  LimitRequestFieldSize 32760
  LimitRequestLine 32760
  LogLevel debug

  <Directory "/data/pwtool/sec-data/adbauth">
    AuthName "Please login with your AD-credentials (Windows Account)"
    AuthType Kerberos
    KrbMethodNegotiate on
    KrbAuthRealms REALM.TLD
    KrbServiceName HTTP/hostname
    Krb5Keytab /data/pwtool/conf/http_hostname.krb5.keytab
    KrbMethodK5Passwd on
    KrbLocalUserMapping on
    Order allow,deny
    Allow from all
  </Directory>

  <Directory "/data/pwtool/sec-data/adbauth">
    Require valid-user
  </Directory>

    SSLEngine on
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    SSLCertificateFile /etc/apache2/ssl.crt/hostname-server.crt
    SSLCertificateKeyFile /etc/apache2/ssl.key/hostname-server.key
</VirtualHost>

I also made sure that the cookies are deleted and tried several smaller values for LimitRequestFieldSize and LimitRequestLine.

Another thing that seems weird to me is that even with LogLevel debug I won't get any logs about this. The log's last line is

ssl_engine_kernel.c(1879): OpenSSL: Write: SSL negotiation finished successfully

Does anyone have an idea about that?

© Server Fault or respective owner

Related posts about apache2

Related posts about single-sign-on