Resolving “Request Header Field Size Exceeds Server Limit” Error in Apache Kerberos SSO with IE8


8 views

When implementing Kerberos SSO with Apache on SLES 11.1, we encountered a peculiar issue where Internet Explorer 8 triggers a 400 Bad Request error while Firefox works perfectly. The error message clearly indicates the Kerberos negotiation token exceeds Apache's default header size limits:

Authorization: Negotiate [ultra long string]

The core solution lies in adjusting Apache's request handling limits. While the original configuration included:

LimitRequestFieldSize 32760
LimitRequestLine 32760

We need to consider these additional directives for comprehensive handling:

# For Apache 2.4+
LimitRequestFields 100
LimitRequestFieldSize 81900
LimitRequestLine 81900

# For older Apache versions
LimitRequestFieldSize 32760
LimitRequestLine 32760

The negotiation token size varies significantly between browsers. IE8 tends to generate larger tokens due to its SPNEGO implementation. Consider these krb5.conf adjustments:

[libdefaults]
default_realm = REALM.TLD
forwardable = true
clockskew = 300

[realms]
REALM.TLD = {
  kdc = dc1.realm.tld
  admin_server = dc1.realm.tld
}

When logs mysteriously stop at SSL handshake completion, try these diagnostic approaches:

# Enable trace-level logging
LogLevel debug mod_ssl:trace4 mod_auth_kerb:trace4

# Packet capture for header inspection
tcpdump -i eth0 -s 0 -w kerberos.pcap port 443

For environments locked to IE8, consider these additional measures:

# Force NTLM fallback for IE
BrowserMatch "MSIE [1-8]" \
  nokeepalive ssl-unclean-shutdown \
  downgrade-1.0 force-response-1.0

# Alternative SPN configuration
KrbServiceName HTTP/hostname@REALM.TLD

For contemporary systems, these additional security measures should be implemented alongside the header size fixes:

# Stronger cipher suite for modern browsers
SSLCipherSuite HIGH:!aNULL:!MD5:!RC4:!3DES
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

When implementing Kerberos SSO for Active Directory authentication on Apache (Apache2 on SLES 11.1), Firefox works perfectly but Internet Explorer 8 (Windows 7) fails with:

Bad Request
Your browser sent a request that this server could not understand.
Size of a request header field exceeds server limit.
Authorization: Negotiate [ultra long string]

The fundamental problem stems from how different browsers handle Kerberos authentication tokens:

  • IE8 generates significantly larger Kerberos tokens than Firefox
  • Apache's default LimitRequestFieldSize (8190 bytes) is too small for IE8's tokens
  • The error occurs during the SPNEGO negotiation phase

Here's the complete working vhost configuration that resolved this issue:

<VirtualHost hostname:443>
  # Critical settings for large Kerberos tokens
  LimitRequestFieldSize 32760
  LimitRequestLine 32760
  LogLevel debug

  # Kerberos authentication settings
  <Directory "/data/pwtool/sec-data/adbauth">
    AuthName "AD Authentication"
    AuthType Kerberos
    KrbMethodNegotiate on
    KrbAuthRealms REALM.TLD
    KrbServiceName HTTP/hostname
    Krb5Keytab /data/pwtool/conf/http_hostname.krb5.keytab
    KrbMethodK5Passwd on
    KrbLocalUserMapping on
    Order allow,deny
    Allow from all
  </Directory>

  <Directory "/data/pwtool/sec-data/adbauth">
    Require valid-user
  </Directory>

  # SSL Configuration
  SSLEngine on
  SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
  SSLCertificateFile /etc/apache2/ssl.crt/hostname-server.crt
  SSLCertificateKeyFile /etc/apache2/ssl.key/hostname-server.key
</VirtualHost>

When troubleshooting Kerberos authentication issues:

  1. Enable detailed logging: 
    LogLevel debug
ErrorLog /var/log/apache2/kerberos_error.log
CustomLog /var/log/apache2/kerberos_access.log combined
  2. Use klist to verify tickets: 
    klist -kte /data/pwtool/conf/http_hostname.krb5.keytab
  3. Test with curl: 
    curl -v --negotiate -u : https://hostname/

For enterprise environments with complex Kerberos requirements:

  • Consider implementing mod_auth_kerb for better Kerberos support
  • For Windows environments, ensure SPNs are properly configured: 
    setspn -A HTTP/hostname domain\account
  • Monitor token sizes as they can vary based on AD group membership

Increasing LimitRequestFieldSize affects:

  • Memory usage per request
  • Potential vulnerability to buffer overflow attacks
  • Server performance under heavy load

Balance security and functionality by setting the minimum required value.