http error 413.0 - FULL head... during SSO login for a few users
Hi, SInce a couple of hours some users receive the following error page when they login our application. http error 413.0 - FULL head The page was not displayed because the request entity is too large. We have an IIS webserver and did encounter the error message before however not in the case of login (we got the error when uploading large files > in that case it seemed a valid error). The application log file does not register the attempt to access the application. 2 users experience this behaviour in IE, but after pressing F5 (refresh) 1x they can access (clearing full cache does not resolve this behaviour). 1 user is experiencing the behaviour in Chrome (our default browser) as well and refreshing or clearing cache does not make a difference, he cannot access the application. All other users seem to be able to access the application without any issues. Anyone any ideas? Thanks. Brian When the user, uses an URL that directly connects to the Mendix business server (circumventing the IIS), the issue does not seem to occur.
Did you see this page It seems like a known issue that has a fix.
As of mendix service console 4.1.1. a new setting is available: jetty request header size. Increasing the value to 8kb has resolved our issue.
the windows service needs to be de-installed and installed again in order to pick up the new settings.
logged a support call. Mendix indicates (for now) that the issue might be solved by the upcoming Mendix Windows console. Additionally we found the following note that might explain the root cause. It would correspond with our users experiencing the issue (both have a lot of authorizations).
The problem and the fix - increasing the maximum header size and the maximum request size of HTTP.SYS - is described in this KB article. So why would the Kerberos Authorization get larger than 16kB? Turns out that the Kerberos ticket which is encoded in the Authorization header contains all group memberships of the user who wants to authenticate against the web server. The more groups a user is a member of the larger the Authorization header gets. The magic number of group memberships seems to be around 300.