Windows client damage authorization header (Kerberos) => IIS 400 (Bad Request)

720 views Asked by At

We are facing strange behavior on about 5% of Windows (7 Pro and XP Pro, both 32 and 64 bits) client computers. These computers gets randomly error from IIS server - 400 Bad request. We are using Windows domain and these clients are trying to authorize to IIS via Kerberos.

Symtomps:

  • Client tries to connect to IIS server via Internet Explorer to site requiring authentication (Kerberos).
  • IIS server returns error 400 Bad Request.
  • Error will not disapear until client computer is "happily restarted". We do not found other way to "repair" this state. Happily restarted means that you can restart more than once. Sometimes it works sometimes not. If it works it will work safely till next restart. If it doesn't it safely do not work till next restart. :)

What we know

  • We are using more groups. So our users have bigger Kerberos TGT ussually. MaxTokenSize raised to 48000.

  • We sniff network traffic on affected clients and found that client sends broken authorization header. Part with kerberos authorization header is cut - not ended properly. So response from IIS server is right and logical. So problem is on client side.

  • We were trying to found some difference between working state and error state on affected computers with no luck.

  • We have more IIS servers at our network. Affected computer is having same issue on all of them in "error state".

  • Hope our thoughts are right, that Internet Explorer is using .NET Framework for HTTP requests and authorization. So probably cause is somewhere at .NET? All clients are using version 4.

Can anyone kindly help us to clarify this mystery? :)

1

There are 1 answers

0
Stanislav Chromec On BEST ANSWER

Solved. Eset NOD32 Antivirus version 4 was modifying HTML authorization headers on some computers. After disabling Web access protection everything works like a charm.