SSO - Adaptations for Users with Membership in too many AD Groups

<< Click to show table of contents >>

In case a user is member of too many groups in the Active Directory (AD) there might occur the following problem:

... the request entity is too large ...

To solve this problem, VertiGIS recommends the following system settings:

Registry

Increase the MaxTokenSize to 32 kb under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters:

- MaxTokenSize = 32000

For more details see https://support.microsoft.com/kb/938118/en.

MaxTokenSize

Add the following entries (DWORD) under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters:

- MaxFieldLength = 65534

- MaxRequestBytes = 65534

For more details see https://support.microsoft.com/kb/820129/en.

MaxFieldLength und MaxRequestBytes

Tomcat

•Note to make these adjustments based on the WebOffice specific files from the WebOffice10.9R4-DVD directory WebOffice10.9R4-DVD\Software\Miscellaneous\Apache Tomcat Connectors\ApacheConnector_Tomcat90.zip.

•Formore information, see chapter Installation of the <%TOMCAT_CONNECTOR%>.

Add the parameter max_packet_size=65536 in file workers.properties.minimal (C:\Tomcat\conf) and adjust this file as shown in the following:

# workers.properties.minimal -

# This file provides minimal jk configuration properties needed to

# connect to Tomcat.

# The workers that jk should create and work with.

worker.list=worker1

# Defining a worker named worker1 and of type ajp13.

# Note that the name and the type do not have to match.

worker.worker1.type=ajp13

worker.worker1.host=localhost

worker.worker1.port=8009

worker.worker1.max_packet_size=65536

For more details see https://tomcat.apache.org/connectors-doc/reference/workers.html.

Now edit the file server.xml (C:\Tomcat\conf):

•For the HTTP Connector (port="8080"), configure maxHttpHeaderSize="65536"

•For AJP Connector (port="8009"), configure packetSize="65536"

For more details see https://tomcat.apache.org/tomcat-9.0-doc/config/index.html.

Configure in file "server.xml": packetSize and maxHttpHeaderSize

•These adjustments in server.xml file should be made only in these two code passages (port="8080 as well as port="8009).

•After saving the changes, IIS (Microsoft Internet Information Services) and Apache Tomcat must be restarted.

•If the changes do not make an impact, you have to further analyze the problem with focused logging. To do this, use Apache Connector Logging under C:\Tomcat\bin\win\isapi_redirect.properties (log_level=trace). After that, look for entries containing mod_jk one in the log file (C:\Tomcat\logs\isapi_redirect.log).