Apache Bad Request "Size of a request header field exceeds server limit" with Kerberos SSO
- by Aurelin
I'm setting up an SSO for Active Directory users through a website that runs on an Apache (Apache2 on SLES 11.1), and when testing with Firefox it all works fine.
But when I try to open the website in Internet Explorer 8 (Windows 7), all I get is
"Bad Request
Your browser sent a request that this server could not understand.
Size of a request header field exceeds server limit.
Authorization: Negotiate [ultra long string]"
My vhost.cfg looks like this:
<VirtualHost hostname:443>
LimitRequestFieldSize 32760
LimitRequestLine 32760
LogLevel debug
<Directory "/data/pwtool/sec-data/adbauth">
AuthName "Please login with your AD-credentials (Windows Account)"
AuthType Kerberos
KrbMethodNegotiate on
KrbAuthRealms REALM.TLD
KrbServiceName HTTP/hostname
Krb5Keytab /data/pwtool/conf/http_hostname.krb5.keytab
KrbMethodK5Passwd on
KrbLocalUserMapping on
Order allow,deny
Allow from all
</Directory>
<Directory "/data/pwtool/sec-data/adbauth">
Require valid-user
</Directory>
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/apache2/ssl.crt/hostname-server.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/hostname-server.key
</VirtualHost>
I also made sure that the cookies are deleted and tried several smaller values for LimitRequestFieldSize and LimitRequestLine.
Another thing that seems weird to me is that even with LogLevel debug I won't get any logs about this.
The log's last line is
ssl_engine_kernel.c(1879): OpenSSL: Write: SSL negotiation finished successfully
Does anyone have an idea about that?
