App Control: API Errors After Successful Login Using SAML
search cancel

App Control: API Errors After Successful Login Using SAML

book

Article ID: 290793

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

  • API pages like Software Rules, Editing Users, or moving machine policies are unavailable. 
  • System Configuration > Advanced Options shows the API connection as failed. 
  • Events Page shows "Your API token has expired"
  • Login using local accounts do not show API issues. 

Environment

  • App Control Console: 8.1 and higher (was CB Protection)
  • SAML Integration

Cause

When the API checks your user permissions, it passes the entire SAML assertion as the username. For longer assertions, IIS's maximum message size is too small to fit the entire assertion. 

Resolution

  1. On the CB Protection Server, open regedit.exe
  2. Navigate to: 
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
  3. Create the following DWORD decimal entries: 
    MaxFieldLength = 65534 
MaxRequestBytes = 16777216 
MaxTokenSize = 49152
  4. Reboot the CB Protection Server

Additional Information

This item is being tracked internally as EP-8317. A future release will shorten the assertion to only the required details. 
Powered by Wolken Software