Exchange Active Sync not working for some users due to Kerberos Token Bloat

Problem

  • You have deployed Exchange or are in the middle of a migration from an older version.
  • You discover that Active Sync is not working for some users, but it’s working fine for other users
    • In my case I was migrating from Exchange 2007 to Exchange 2013.

Other Symptoms

  • HTTP Proxy Log contains the following error
    • WebExceptionStatus=ProtocolError;ResponseStatusCode=400;WebException=System.Net.WebException: The remote server returned an error: (400) Bad Request.

Cause

The problem in my case was a Kerberos Token Bloat cause by the affected users being a member of a larger number of Active Directory Groups (in my case 150)

As per this Technet article:

“This issue may occur when the user is a member of many Active Directory user groups. When a user is a member of a large number of active directory groups the Kerberos authentication token for the user increases in size. The HTTP request that the user sends to the IIS server contains the Kerberos token in the WWW-Authenticate header, and the header size increases as the number of groups goes up.  If the HTTP header or packet size increases past the limits configured in IIS, IIS may reject the request and send this error as the response.”

This Technet blog also describes the problem

Solution

Configure the following registry keys on the Exchange 2013 and 2007 CAS servers ( I rebooted after making these changes):

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters

Type: DWORD

Name: MaxRequestBytes

Value: 16777216

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Type: REG_DWORD

Value: 48000

Name: MaxTokenSize

 

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters

Type: DWORD

Value: 65534

Name: MaxFieldLength

Leave a Reply

Your email address will not be published. Required fields are marked *