Re: vRA 7.1 and Identiy Manager maxHttpHeaderSize

Ukusic · ‎09-23-2016

Hi,

We had a lot of trouble when we setup vRA 6.2 long time ago. Our users could not login because they were in alot of AD-groups. SAML/kerberos and httpheadersize was to big.

The solution we came up with after many many weeks with support was to add the following to Identity Appliance in vRA 6.2.

Identity Appliance 2.2.1.0 Build 2496259
/usr/lib/vmware-sts/conf/server.xml

<Connector acceptCount="100"
connectionTimeout="20000"
executor="tomcatThreadPool"
maxKeepAliveRequests="-1"
maxHttpHeaderSize="65536"

<Connector SSLEnabled="true"
acceptCount="200"
maxHttpHeaderSize="65536"

Now we have the exact same symptoms in vRA 7.1, logs don't say much except 400 bad request when clicking "Next" on login page. Exactly like we had on 6.2.

I have found the value 3 times in /opt/vmware/horizon/workspace/conf/server.xml by just searching for it

maxHttpHeaderSize="32768"

I have tried to change these values to "65536" without success and i don't know if this is the right place or if i need to add it in other config files in the vRA 7.1 solution.

Hopefully someone here have insight how to change this in vRA 7.1 and Identiy Manager.

(VMware Identity Manager 2.7.0.0 Build 4161732)

Any advice or tip where to look and i would be very grateful!

/Best regards

zwal1986 · ‎09-27-2016

I've had luck in 6.x solving this issue by increasing the Kerberos max token size on the web servers as outlined by the following KB: Setting the Kerberos token size for vRealize Automation deployments (2095768) | VMware KB

I hope that works for you, good luck!

-Zac

Ukusic · ‎09-27-2016

Hi zwal1986,

thanks for reply!

In vRA 6.2 the values i described solved the login problem we had then.
A couple of months later some users had problems deploying blueprints all of a sudden. We then implemented the fix you linked to that fixed it in 6.2. 🙂 We have have set this in vRA 7.1 to be safe on the IaaS.

All

vRA 7.1 and Identiy Manager maxHttpHeaderSize