SSO - Adaptations for Users with Membership in too many AD Groups

In case a user is member of too many groups in the Active Directory (AD) there might occur the following problem:

... the request entity is too large ...

 

To solve this problem, VertiGIS recommends the following system settings:

 

Registry

Increase the MaxTokenSize to 32 kb under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters:

- MaxTokenSize = 32000

 

icon_cross-reference

For more details see https://support.microsoft.com/kb/938118/en.

 

MaxTokenSize

MaxTokenSize

 

Add the following entries (DWORD) under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters:

- MaxFieldLength = 65534

- MaxRequestBytes = 65534

 

icon_cross-reference

For more details see https://support.microsoft.com/kb/820129/en.

 

MaxFieldLength und MaxRequestBytes

MaxFieldLength und MaxRequestBytes

 

Tomcat

icon_comment

Note to make these adjustments based on the WebOffice specific files from the WebOffice10.9-DVD directory WebOffice10.9-DVD\Software\Miscellaneous\Apache Tomcat Connectors\ApacheConnector_Tomcat90.zip.

Formore information, see chapter Installation of the <%TOMCAT_CONNECTOR%>.

 

Add the parameter max_packet_size=65536 in file workers.properties.minimal (C:\Tomcat\conf) and adjust this file as shown in the following:

 

# workers.properties.minimal -

#

# This file provides minimal jk configuration properties needed to

# connect to Tomcat.

 

#

# The workers that jk should create and work with.

#

worker.list=worker1

 

#

# Defining a worker named worker1 and of type ajp13.

# Note that the name and the type do not have to match.

#

worker.worker1.type=ajp13

worker.worker1.host=localhost

worker.worker1.port=8009

worker.worker1.max_packet_size=65536

 

icon_cross-reference

For more details see https://tomcat.apache.org/connectors-doc/reference/workers.html.

 

 

Now edit the file server.xml (C:\Tomcat\conf):

For the HTTP Connector (port="8080"), configure maxHttpHeaderSize="65536"

For AJP Connector (port="8009"), configure packetSize="65536"

 

icon_cross-reference

For more details see https://tomcat.apache.org/tomcat-9.0-doc/config/index.html.

 

Configure in file "server.xml": packetSize and maxHttpHeaderSize

Configure in file "server.xml": packetSize and maxHttpHeaderSize

 

icon_comment

These adjustments in server.xml file should be made only in these two code passages (port="8080 as well as port="8009).

After saving the changes, IIS (Microsoft Internet Information Services) and Apache Tomcat must be restarted.

If the changes do not make an impact, you have to further analyze the problem with focused logging. To do this, use Apache Connector Logging under C:\Tomcat\bin\win\isapi_redirect.properties (log_level=trace). After that, look for entries containing mod_jk one in the log file (C:\Tomcat\logs\isapi_redirect.log).