Director & WinRM : Sometimes size does matter!

As you may know, some features of Director rely on WinRM and you have to configure it following this article http://support.citrix.com/article/CTX125243.

In large Active Directory environment, the user security token that is used to authenticate the user to the server may be larger than 16 KB. This can occur when a user is a member of many security groups.

However, WinRM has a 16 KB size limit for HTTP authorization requests. Therefore, WinRM does not accept HTTP authorization requests that use a user security token that is larger than 16 KB.

When this limit is exceeded, some features in Director return unexpected errors and the following eventlog can be found:

The data source ‘Unknown error.’ (‘/Citrix/Monitor/OData/v1/methods’) responded with an unexpected error.

A hotfix from Microsoft is available to resolve this issue. After you apply this hotfix, you can customize the values of MaxFieldLength and MaxRequestBytes registry entries to make WinRM accept authorization requests larger than 16 KB.

The following registry entries should be adjusted:

Name: MaxFieldLength

TYPE: REG_DWORD

Value: default (16384). Range (64 to 65534)

Location: HKEY_LOCAL_MACHINESystemCurrentControlSetServicesHTTPParameters

Explanation: The MaxFieldLength registry entry specifies the maximum size limit of each HTTP request header in byte.

 

Name: MaxRequestBytes

Type: REG_DWORD

Value: default (16384). Range (64 to 65534)

Location: HKEY_LOCAL_MACHINESystemCurrentControlSetServicesHTTPParameters

Explanation: The MaxRequestBytes registry entry specifies the upper limit for the total size of the Request line and the headers in byte.

 

You should align those registry entries with the (more) known MaxTokenSize. For information, the default MaxTokenSize is 48000 bytes since Windows Server 2012.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.