IWA Kerberos authentication may fail when user belongs to many AD groups

IWA Kerberos authentication may fail when user belongs to many AD groups

Published: 07/16/2015

The Kerberos token for an AD user will increase in size as the number of group memberships increases. This can increase the size of the Kerberos token beyond the default header buffer size limit set in PingFederate, and cause IWA authentication to fail.

To verify the issue, you must enable additional logging so that the error message related to the issue is displayed in the server.log. 

To resolve the issue for versions prior to 6.10, you'll need to add or increase the headerBufferSize element for each connector in the  jboss-service.xml file. 


Steps to enable additional logging to verify this issue

1) Backup pingfederate/server/default/conf/log4j.xml
2) Open pingfederate/server/default/conf/log4j.xml in a text editor
3) Change

<category name="org.mortbay.log">
   <priority value="FATAL"/>
</category>


to

<category name="org.mortbay.log">
   <priority value="WARN"/>
</category>


Note: In PingFederate 6.9 and later, the class name is org.eclipse.jetty.

4) Once you have saved your changes to the log4j.xml file, the logging change should take effect within 30 seconds. Restarting PingFederate will also cause the change to take effect.

5) Once you have verified the issue, revert to the original log4j.xml to reduce unneeded logging.

Verifying the issue

Once additional logging is enabled, ask the user to replicate the issue.  Replicating the issue using a browser based HTTP trace tool (eg., ieHTTPHeaders) will allow you to determine the exact size of the Kerberos token that the browser is sending.

In your server.log, you should see a "FULL head" error similar to the one shown below:
 
WARN  [org.mortbay.log] handle failed
java.io.IOException: FULL head

In PingFederate 6.9+ you will see something like

WARN  [org.eclipse.jetty.http.HttpParser] Header is too large >8192

Solution

The header buffer size limit in PingFederate (PF) 4.x, 5.x, 6.0 and 6.1 is 4096.  The limit in PF 6.2 and higher is 8192.  If the size of the Kerberos ticket is 10,000 bytes, then you can increase the limit to 12,288 bytes (which is 12KB. Note: the value does not necessarily need to be a multiple of 1024, anything larger than 10,000 bytes would also work).  In PingFederate 6.10 Jetty 8.1.3 is implemented; the headerBufferSize property is deprecated as of Jetty 7.1.

For PF 4.x, 5.x, 6.0 and 6.1:

Add the following element to each <addConnector> element in the pingfederate/server/default/deploy/jetty.sar/META-INF/jboss-service.xml configuration file.

<Set name="headerBufferSize">12288</Set>

For PF 6.2 to 6.8:

Look for the following element:

<Set name="headerBufferSize">8192</Set> in the pingfederate/server/default/deploy/jetty.sar/META-INF/jboss-service.xml configuration file and change the value from 8192 to 12288.  Make sure you change the value for each <addConnector> element.

For PF 6.9 to 7.3:

In the file pingfederate/etc/jetty-runtime.xml, find the RequestHeaderSize element in each addConnector element and modify the value, e.g.,

<Call name="addConnector">
[...]
                  <Set name="RequestHeaderSize">8192</Set>


The value 12288 (12KB) is an example used for illustrative purposes.  You'll need to look at the size of the Kerberos token causing the problem and make a determination as to the most suitable buffer size for your environment. Increasing the buffer size should not have a noticeable impact on performance.

For PF 8.0+:

In the file pingfederate/bin/start.ini, find the property
jetty.request.header.size and modify it to the appropriate size. This will change the request header size for all Jetty connections.

Once the changes to jboss-service.xml, jetty-runtime.xml, or start.ini have been made you will need to restart PingFederate for them to take effect.

Note: In a clustered environment, you will need to make these changes on each cluster engine node, replication will not modify this value.  It is not necessary to make this change on the Admin Node.


For more information on the impact of AD group membership on Kerberos ticket size, please see the following Microsoft Articles:

Kerberos Authentication Problem with Active Directory

Problems with Kerberos authentication when users belong to many groups

Category:
Integrations , 
KB or other URL: