Search the VMware Knowledge Base (KB)
View by Article ID

Setting the Kerberos token size for vRealize Automation deployments (2095768)

  • 6 Ratings
Language Editions

Symptoms

  • In the Infrastructure tab, you see the error:

    Service Unreachable - A required service cannot be reached at the expected address. Contact your system administrator for assistance. Reference error REPO404

  • In the C:\Program Files (x86)\VMware\vCAC\Server\Website\Logs\Web_Admin.log file, you see the error:

    Bad Request - Request Too Long - HTTP Error 400. The size of the request headers is too long

Cause

This issue occurs because the default VMware vRealize Automation (formerly known as vCloud Automation Center) headers, when searching for LDAP or performing actions on the behalf of a user, are too large for the default Windows Kerberos token size.

Resolution

Note: Perform these steps on the vRealize Automation web server or all web servers if you have a high availability environment. Optionally, you can use the attached file to automatically make the registry changes to implement this instead of manually running these steps as well.

Token Size

Determine and set the maximum Kerberos token size. To determine the correct Kerberos maximum token size for your deployment, use this guideline:

Kerberos MaxTokenSize = 1200 + 40d + 8s (bytes)

This formula uses the values:
  • d = The number of domain local groups a user is a member of plus the number of universal groups outside the user's account domain that the user is a member of plus the number of groups represented in security ID (SID) history.
  • s = The number of security global groups that a user is a member of plus the number of universal groups in a user's account domain that the user is a member of.
  • 1200 = The estimated value for ticket overhead. This value varies depending on factors such as DNS domain name length and client name.

Windows Registry Modification

Determine if you need to modify the registry entry. If the token size that you calculate by using the above formula is less than 12,000 bytes (the default size), do not modify the MaxTokenSize registry value on domain clients. If the value is more than 12,000 bytes, adjust the MaxTokenSize registry value. For more information, see the Microsoft Knowledge Base article 327825.

To change the Kerberos MaxTokenSize value, modify this registry entry with regedit:

HKLM\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters

MaxTokenSize, REG_DWORD, value (the recommended value for the MaxTokenSize registry entry is 65535 decimal or FFFF hexadecimal)

 
Note: The preceding links were correct as of April 15, 2015. If you find a link is broken, provide feedback and a VMware employee will update the link.
 
Note: This procedure modifies the Windows registry. Before making any registry modifications, ensure that you have a current and valid backup of the registry and the virtual machine. For more information on backing up and restoring the registry, see the Microsoft Knowledge Base article 136393.
 

HTTP Maximum Request Size

Determine and set the correct HTTP maximum request size for your deployment by using this guideline, where T is the Kerberos MaxTokenSize set above:

MaxFieldLength = (4/3 * T bytes) + 200
MaxRequestBytes = (4/3 * T bytes) + 200

Set MaxFieldLength and MaxRequestBytes to the calculated values, as in this example they are set to the permitted maximum value:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters
MaxFieldLength DWORD 65534
MaxRequestBytes DWORD 16777216

Note: If the above fields are modified, you should restart the windows machine for changes to take effect.

Additional Information

For more information, see the  Microsoft Knowledge Base article 263693.

Note: The preceding links were correct as of August 19, 2015. If you find a link is broken,  provide feedback and a VMware employee will update the link.

See Also

Attachments

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 6 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 6 Ratings
Actions
KB: