Kerberos/SSO Session Key With WNA Creates a Header Size Over Server Limit

(Doc ID 295791.1)

Last updated on APRIL 03, 2017

Applies to:

Oracle HTTP Server - Version to [Release AS10g to AS10gR3]
Oracle Application Server Single Sign-On - Version 9.0.4 to [Release 10gR1 to 10gR3]
Information in this document applies to any platform.
- This can happen on any version, but solution herein is limited to 10g
- See also: - How to Increase HTTP Header Size to Prevent Server Limit Errors


During the authentication process of Single Sign-On (with Windows Native Authentication enabled), the SSO server uses a buffer with default size of only 8 Kbytes. When a large Session Key (over 8K) is passed to the SSO server, the Oracle HTTP_Server (Apache) rejects the request, thus preventing a buffer overrun. This abnormally large Kerberos Session Key is rejected with an HTTP 401 error, followed by a 400 error.

The following is found in the Apache access_log at the time of occurance:

"GET /pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=v1.4{token HTTP/1.1" 400 16784
"GET /pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=v1.4{token}HTTP/1.1" 401 5

In the client browser, there may be text displayed as "HEADER FIELD SERVER LIMIT error", or an Internal Error. Some users have seen, "Your browser sent a request that this server could not understand. Size of a request header field exceeds server limit".

The "16784" in the above example is the byte size of the request. The default is 8190, normally an acceptable value.

This can occur while trying to log into Portal or OIDDAS with WNA enabled with SSO. If setting the Oracle HTTP Server LogLevel to "debug", the error_log reports, "request failed: error reading the headers".


This problem can occur after a migration from Microsoft Active Directory 2000 (AD 2000) to Active Directory 2003 (AD 2003).

Prior to such a migration, each AD 2000 Domain Controller issues it's own Security Identifier (SID) for a particular group. If, during migration, there are different groups in AD 2000 Domains combined into one group in AD 2003, then the KerberosSession Key that AD 2003 generates contains the unique SIDs for each of the old groups and the amalgamated group. When there are many of these amalgamated groups, the legacy SIDs pad the Kerberos Session Key, potentially making it 8 Kbytes in size or larger.


Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms