How to... > Single Sign On-Adjustments for Accounts with a lot AD Group Memberships

1.Prerequisite: The Domain Controller Admins have to raise the MaxTokenSize to e.g. 32kb. Just follow the Microsoft article http://support.microsoft.com/kb/938118/en-us.

2.Configuration of "max_packet_size" in "workers.properties.minimal"

a.Go to "C:\Tomcat\conf\uriworkermap.properties"

b.Add "ajp13" at the parameter "worker.list":
worker.list=wlb,jkstatus,ajp13

c.The following line has to be added in general to the file:
worker.ajp13w.max_packet_size=65536

3.Configuration of "packetSize" in "server.xml"

a.Go to "C:\Tomcat\conf\server.xml"

b.At all Connectors (port="8080" and port="8009") the parameter packetSize="65536" and maxHttpHeaderSize="65536" have to be added:

4.Add Windows-Registry for "MaxFieldLength" and "MaxRequestBytes":

a.Open Windows registry through Start Menu > Run... > "regedit"

b.Go to "HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\HTTP\Parameters"

c.Add the following "DWORD"-parameter:
MaxFieldLength = 65534
MaxRequestBytes = 65534

Adding parameters MaxFieldLength and MaxRequestBytes

d.Background information to this step can be found at http://support.microsoft.com/kb/820129.

5.If the steps above are not working, have a look at the Apache Connector log-files:

a.Turn on the logging for Apache Connectors at "C:\Tomcat\bin\win\isapi_redirect.properties"

b.Set "log_level=error" to "log_level=trace"

c.Go to Start Menu > Administrative Tools > Services and restart IIS, WWW Publishing Services and Apache Tomcat

d.Try to logon to the WebOffice-Application

e.See Apache Tomcat Connector log files at "C:\Tomcat\logs\isapi_redirect.log" for more information - important are the entries about "mod_ik one"

f.Reset Apache Connector log level back to "error"

g.Restart IIS, WWW Publishing Services and Apache Tomcat