Hi all, I'm hoping someone can help. As the title states users are getting an http 400 bad request error message when visiting an intranet page. This is only happening for a few users, and started happening after they were migrated. We are using SID history for access to resources. Here's what i've tried so far.
- Enable old account, site works w/ no issues
- Duplicate new account to use that as a test, and start removing security groups from new test account. Eventually the AD account was able to access the account after i removed enough groups. This is not really a feasible solution at this time
since we still have both domains up and running.
This tells me I'm looking at a token size issues. - I installed Fiddler on the workstation to captures some information. With Fiddler running the user is able to access the site w/ no issues. I'm assuming there is no useable information in Fiddler then since it couldn't catch any errors. My experience w/ fiddler is limited so if you have any suggestions feel free to give them.
- I started looking at this URL which is a fairly decent write up
http://blogs.technet.com/b/surama/archive/2009/04/06/kerberos-authentication-problem-with-active-directory.aspx - On the webserver
MaxRequestBytes was already set to 65534
MaxFieldLenghth was already set to 65534. I increased this to the max for testing 16777216 and restarted IIS - MaxTokenSize on the workstation and Webserver by default is set to 48000. For testing I set it to 65534 and rebooted both.
- Here is a screenshot of the tokensz utility, after I removed the maxtokensize reg key
- Ran the ntdsutil and queried the number of groups the user is in. So effectively if i understand this, the user is in 242 groups because of SID history.
WebServer is Windows 2000. w/ IIS 5
Workstations are Windows 7 x86
Hopefully someone has some ideas, any and all are welcome. Thanks in advance.