Setting the Kerberos token size for vRealize Automation deployments
search cancel

Setting the Kerberos token size for vRealize Automation deployments

book

Article ID: 344244

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

Symptoms:
  • In the Infrastructure tab, you see the error:

    Service Unreachable - A required service cannot be reached at the expected address. Contact your system administrator for assistance. Reference error REPO404
     
  • In the C:\Program Files (x86)\VMware\vCAC\Server\Website\Logs\Web_Admin.log file, you see the error:

    Bad Request - Request Too Long - HTTP Error 400. The size of the request headers is too long


Environment

VMware vCloud Automation Center for Server 6.1.x
VMware vRealize Automation 7.1.x
VMware vCloud Automation Center Development Kit 4.5.x
VMware vRealize Automation 7.4.x
VMware vCloud Automation Center 5.x
VMware vCloud Automation Center for Desktop 6.1.x
VMware vRealize Automation Desktop 6.2.x
VMware vRealize Automation 6.2.x
VMware vCloud Automation Center Development Kit 5.1.x
VMware vRealize Automation 7.2.x
VMware vCloud Automation Center for Server 6.0.x
VMware vCloud Automation Center for Desktop 6.0.x
VMware vRealize Automation 7.x
VMware vRealize Automation 7.3.x
VMware vRealize Automation 7.0.x
VMware vRealize Automation 7.5.x

Cause

This issue occurs because the default VMware vRealize Automation (formerly known as vCloud Automation Center) headers, when searching for LDAP or performing actions on the behalf of a user, are too large for the default Windows Kerberos token size.

Resolution

Note: Perform these steps on the vRealize Automation web server or all web servers if you have a high availability environment. Optionally, you can use the attached file to automatically make the registry changes to implement this instead of manually running these steps as well.

Token Size

Determine and set the maximum Kerberos token size. To determine the correct Kerberos maximum token size for your deployment, use this guideline:
 
Kerberos MaxTokenSize = 1200 + 40d + 8s (bytes)
 
This formula uses the values:
  • d = The number of domain local groups a user is a member of plus the number of universal groups outside the user's account domain that the user is a member of plus the number of groups represented in security ID (SID) history.
  • s = The number of security global groups that a user is a member of plus the number of universal groups in a user's account domain that the user is a member of.
  • 1200 = The estimated value for ticket overhead. This value varies depending on factors such as DNS domain name length and client name.

Windows Registry Modification

Determine if you need to modify the registry entry. If the token size that you calculate by using the above formula is less than 12,000 bytes (the default size), do not modify the MaxTokenSize registry value on domain clients. If the value is more than 12,000 bytes, adjust the MaxTokenSize registry value. For more information, see the Microsoft Knowledge Base article 327825.

To change the Kerberos MaxTokenSize value, modify this registry entry with regedit:
 

HKLM\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters

MaxTokenSize, REG_DWORD, value (the recommended value for the MaxTokenSize registry entry is 65535 decimal or FFFF hexadecimal)

 
Note: The preceding links were correct as of April 15, 2015. If you find a link is broken, provide feedback and a VMware employee will update the link.
 
Note: This procedure modifies the Windows registry. Before making any registry modifications, ensure that you have a current and valid backup of the registry and the virtual machine. For more information on backing up and restoring the registry, see the Microsoft Knowledge Base article 136393.
 

HTTP Maximum Request Size

Determine and set the correct HTTP maximum request size for your deployment by using this guideline, where T is the Kerberos MaxTokenSize set above:
 
MaxFieldLength = (4/3 * T bytes) + 200
MaxRequestBytes = (4/3 * T bytes) + 200
 
Set MaxFieldLength and MaxRequestBytes to the calculated values, as in this example they are set to the permitted maximum value:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters
MaxFieldLength DWORD 65534
MaxRequestBytes DWORD 16777216

Note: If the above fields are modified, you should restart the windows machine for changes to take effect.


Additional Information

For more information, see the Microsoft Knowledge Base article 263693.
 

Note: The preceding links were correct as of August 19, 2015. If you find a link is broken, provide feedback and a VMware employee will update the link.

vRealize Automation 展開の Kerberos トークン サイズの設定

Attachments

KB2095768v3.reg get_app