Control Compliance Suite Web Dashboards showing HTTP 400 Error, Bad Request.
|Article:TECH201537|||||Created: 2013-01-10|||||Updated: 2013-01-11|||||Article URL http://www.symantec.com/docs/TECH201537|
Some users are seeing the HTTP 400 error message when accessing the CCS web dashboards. Sometimes pages do load when the user hits refresh but very often they are not displayed correctly, i.e. wrong layout due to CSS files missing etc. If the page does load correctly then the next link they click will probably show the HTTP 400 error again. Some users can't log on at all and are presented with a HTTP 400 error only.
Users are correctly added to AD groups and have the same and appropriate rights within CCS and when the page does load their correct AD user is displayed at the top of the screen. Other users in the same AD group (i.e. have the same rights within CCS) are no affected.
After enabling verbose logging for the HTTP API you're see the following in the IIS logs:
to verify if you are indeed looking at the same issue - enabled IIS HTTP API logging - let this microsoft kb "fix it" for you http://support.microsoft.com/kb/820729 - it adds a few parameters in the registry and generates a log - you need to restart the http service for it to take effect. The log goes to %SystemRoot%\System32\LogFiles\httperr1.log and shows the following:
#Software: Microsoft HTTP API 2.0
#Date: 2012-12-28 16:12:45
#Fields: date time c-ip c-port s-ip s-port cs-version cs-method cs-uri sc-status s-siteid s-reason s-queuename
2012-12-28 16:12:44 10.160.99.69 1792 10.160.98.177 80 HTTP/1.1 GET /CCS_Web/HomePage.aspx 400 - RequestLength -
If you see the same error, read on for the solution.
Symantec Control Compliance Suite (any version)
IIS can't handle large kerberos ticket size (be default). The Kerberos ticket size can be large due to the active directory users that is trying to authenticate being a member of many active directory groups -the more groups, the larger the kerberos ticket. The issue might show for some users but not for others seen as they belong to different groups.
The issue is with IIS and not Symantec code. It is fixed by adding two keys to the registry on the CCS application server relating to IIS, these are the keys to be added:
MaxFieldLength and possibly set it to 65534 (the maximum value)
MaxRequestBytes and possibly set it 16777216 (the maximum value)
Warning: Adding/changing these values from it's default come with a warning from Microsoft. For more information on the keys please see https://support.microsoft.com/kb/820129
Also, the Microsoft KB suggests that restarting the related IIS services is sufficient for the change to take effect however it has been reported that sometimes a reboot of the whole system seems to be needed for the keys to take effect!
Article URL http://www.symantec.com/docs/TECH201537