Merge pull request #7967 from paulcociuba/patch-3

AB#3402: Docs 2024 Review: Update http-bad-request-response-kerberos.md

Author: sevend2

.openpublishing.redirection.developer.json

@@ -5838,6 +5838,10 @@
     {
       "source_path": "support/developer/webapps/iis/health-diagnostic-performance/http-403-forbidden-access-website.md",
       "redirect_url": "/troubleshoot/developer/webapps/iis/site-behavior-performance/http-403-forbidden-access-website"
+    },    
+    {
+      "source_path": "support/developer/webapps/iis/www-administration-management/http-bad-request-response-kerberos.md",
+      "redirect_url": "/troubleshoot/developer/webapps/iis/www-authentication-authorization/http-bad-request-response-kerberos"
     }
   ]
 }

support/developer/webapps/iis/toc.yml

@@ -165,8 +165,6 @@ items:
     href: www-administration-management/enable-ssl-all-customers.md
   - name: Error when you configure 32-bit managed handlers
     href: www-administration-management/error-when-you-configure-32-bit-handlers.md
-  - name: HTTP error 400 when you send requests
-    href: www-administration-management/http-bad-request-response-kerberos.md
   - name: HTTPS connections fail and SSL bindings are deleted
     href: www-administration-management/https-connections-fail-ssl-bindings-deleted.md
   - name: IIS events are not displayed remotely
@@ -200,6 +198,8 @@ items:
     href: www-authentication-authorization/error-install-certificate.md
   - name: Exporting configuration files fails
     href: www-authentication-authorization/configuration-files-cannot-exported.md
+  - name: HTTP error 400 when you send requests
+    href: www-authentication-authorization/http-bad-request-response-kerberos.md
   - name: HTTP error 403.7
     href: www-authentication-authorization/http-403-forbidden-open-webpage.md
   - name: IIS authenticates browser clients

…nt/http-bad-request-response-kerberos.md …on/http-bad-request-response-kerberos.mdsupport/developer/webapps/iis/www-administration-management/http-bad-request-response-kerberos.md renamed to support/developer/webapps/iis/www-authentication-authorization/http-bad-request-response-kerberos.md support/developer/webapps/iis/www-administration-management/http-bad-request-response-kerberos.md renamed to support/developer/webapps/iis/www-authentication-authorization/http-bad-request-response-kerberos.md

@@ -1,9 +1,9 @@
 ---
 title: HTTP 400 error responses to HTTP requests
 description: Works around an HTTP 400 error that the HTTP request header is too long.
-ms.date: 05/14/2021
+ms.date: 01/10/2025
 ms.custom: sap:WWW Authentication and Authorization\Windows Authentication
-ms.reviewer: ivanpash
+ms.reviewer: ivanpash, paulboc
 ---
 # HTTP 400 Bad Request (Request Header too long) responses to HTTP requests
 
@@ -34,8 +34,7 @@ Decrease the number of Active Directory groups that the user is a member of.
 
 Increase the settings for the `MaxFieldLength` and the `MaxRequestBytes` registry entries on the server so that the user's request headers don't exceed these values. To determine the appropriate settings, use the following calculations:
 
-1. Calculate the size of the user's Kerberos token by using the formula described in the following article:  
-[Problems with Kerberos authentication when a user belongs to many groups](https://support.microsoft.com/kb/327825).
+1. Calculate the size of the user's Kerberos token by using the formula described in [Problems with Kerberos authentication when a user belongs to many groups](../../../../windows-server/windows-security/kerberos-authentication-problems-if-user-belongs-to-groups.md).
 
 2. Set the value of `MaxFieldLength` and `MaxRequestBytes` on the server to 4/3 * T bytes, where T is the user's token size in bytes. HTTP encodes the Kerberos token by using base64 encoding.
 
@@ -48,7 +47,8 @@ Depending on your application environment, you might also work around this probl
 
 By default, there is no `MaxFieldLength` registry entry. This entry specifies the maximum size limit of each HTTP request header. The `MaxRequestBytes` registry entry specifies the upper limit for the total size of the Request line and the headers. Typically, this registry entry is configured together with the `MaxRequestBytes` registry entry. If the `MaxRequestBytes` value is lower than the `MaxFieldLength` value, the `MaxFieldLength` value is adjusted. In large Active Directory environments, users may experience logon failures if the values for both these entries aren't set to a sufficiently high value.
 
-For IIS 6.0 and later, the `MaxFieldLength` and `MaxRequestBytes` registry keys are located at the following sub key:  
+For IIS versions shipped with Windows Server 2016 and later, the `MaxFieldLength` and `MaxRequestBytes` registry keys are located in the following subkey:  
+
 `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters`
 
 Set the key values as shown in the following table:
@@ -68,12 +68,12 @@ Set the key values as shown in the following table:
 > [!IMPORTANT]
 > Changing these registry keys should be considered to be extremely dangerous. These keys allow larger HTTP packets to be sent to IIS. This, in turn, may cause Http.sys to use more memory. Therefore, such changes can increase the computer's vulnerability to malicious attacks.
 
-If `MaxFieldLength` is set to its maximum value of 64 KB, the `MaxTokenSize` registry value should be set to 3/4 * 64 = 48 KB. For more information about the `MaxTokenSize` setting, see [Problems with Kerberos authentication when a user belongs to many groups](https://support.microsoft.com/help/327825).
+If `MaxFieldLength` is set to its maximum value of 64 KB, the `MaxTokenSize` registry value should be set to 3/4 * 64 = 48 KB. For more information about the `MaxTokenSize` setting, see [Problems with Kerberos authentication when a user belongs to many groups](../../../../windows-server/windows-security/kerberos-authentication-problems-if-user-belongs-to-groups.md).
 
 ## References
 
-- [Http.sys registry settings for IIS](https://support.microsoft.com/help/820129/http-sys-registry-settings-for-windows)  
+- [Http.sys registry settings for IIS](../iisadmin-service-inetinfo/httpsys-registry-windows.md)  
 
-- [Error logging in HTTP API](https://support.microsoft.com/help/820729/error-logging-in-http-apis)
+- [Error logging in the HTTP server API](/windows/win32/http/error-logging-in-the-http-server-api)
 
-- [Problems with Kerberos authentication when a user belongs to many groups](https://support.microsoft.com/help/327825)
+- [Problems with Kerberos authentication when a user belongs to many groups](../../../../windows-server/windows-security/kerberos-authentication-problems-if-user-belongs-to-groups.md)