Navigation:  Troubleshooting > Problems Related to WebOffice usermanagement >

SSO - Adaptations for Users with Membership in too many AD Groups

 Previous pageReturn to chapter overviewNext page

In case a user is member of too many groups in the Active Directory (AD) there might occur the following problem:

... the request entity is too large ...

To solve this problem, SynerGIS recommends the following system settings:

 

Registry

Increase the MaxTokenSize to 32 kb under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters:

- MaxTokenSize = 32000

http://support.microsoft.com/kb/938118/en

 

MaxTokenSize

MaxTokenSize

 

Add the following entries (DWORD) under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters:

- MaxFieldLength = 65534

- MaxRequestBytes = 65534

http://support.microsoft.com/kb/820129/en

 

MaxFieldLength und MaxRequestBytes

MaxFieldLength und MaxRequestBytes

 

Tomcat

- Add the parameter max_packet_size=65536 in the workers.properties.minimal (C:\Tomcat\conf) and adjust this file as shown in the following:

 

# workers.properties.minimal -

#

# This file provides minimal jk configuration properties needed to

# connect to Tomcat.

 

#

# The workers that jk should create and work with.

#

worker.list=worker1

 

#

# Defining a worker named worker1 and of type ajp13.

# Note that the name and the type do not have to match.

#

worker.worker1.type=ajp13

worker.worker1.host=localhost

worker.worker1.port=8009

worker.worker1.max_packet_size=65536

 

http://tomcat.apache.org/connectors-doc/reference/workers.html

 

- Edit packetSize in server.xml

- Configure packetSize="65536" for AJP connector (port=8009)

- Configure maxHttpHeaderSize="65536" for HTTP connector (port=8080)

http://tomcat.apache.org/tomcat-8.0-doc/config/ajp.html

 

packetSize und maxHttpHeaderSize

packetSize und maxHttpHeaderSize

 

Note:  After applying these settings IIS (Microsoft Internet Information Services) and Apache Tomcat have to be restarted!

Note: If these settings do not make an impact, you have to further analyze the problem with focused logging. Use the Apache Connector logging under C:\Tomcat\bin\win\isapi_redirect.properties (log_level=trace). Look for entries containing mod_jk one in the log file (C:\Tomcat\logs\isapi_redirect.log).