Microsoft KB Archive/819962

= FIX: &quot;414 Request-URI Too Large&quot; Error Message from ISA Server =

Article ID: 819962

Article Last Modified on 6/14/2007

-

APPLIES TO


 * Microsoft Internet Security and Acceleration Server 2000 Standard Edition
 * Microsoft Internet Security and Acceleration Server 2000 Service Pack 1

-



IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry



SYMPTOMS
When you are using Internet Security and Acceleration (ISA) Server 2000 in either a Web publishing or a Web proxy scenario, you may receive the following error message when you open or post data to a Web page:

414 Request-URI Too Large - The size of the request header is too large. Contact the server administrator.

(12215) Internet Security and Acceleration Server



CAUSE
By default, ISA Server permits HTTP requests that have a combined header length of up to 10 KB. If the limit is exceeded, you receive the error message that is described in the &quot;Symptoms&quot; section. For HTTPS, the Transport Layer Security (TLS) 1.0 RFC 2246 (section 6.2.1) and the Secure Sockets Layer (SSL) 3.0 specification state that no single SSL fragment should be more than 2^14 bytes (16 KB). However, certain clients may not follow this specification, or they may send SSL fragments that are close to 16 KB. ISA Server requires a single buffer to decrypt the SSL fragments before it tries to parse the headers.

You may receive the error message when you connect to a Web server that is Web published by an ISA Server computer. The problem may occur in the following situations:
 * The client sends an HTTP or HTTPS request with headers, and the request has a combined length of more than 10 KB.
 * The client sends a malformed HTTP request that has a combined length of more than 10 KB and that does not separate the request header and the message body with two carriage return and line feed characters. This is typically a POST request because a POST request may contain data in the body.
 * The client sends an HTTPS POST request to the Web server, and the combined length of the headers and the body is more than 10 KB.

You may also experience this problem with outgoing Web proxy requests in the following situations:
 * The client sends an HTTP request with headers, and the request has a combined length of more than 10 KB.
 * The client sends a malformed HTTP request that has a combined length of more than 10 KB and that does not separate the request header and the message body with two carriage return and line feed characters. This is typically a POST request because a POST request may contain data in the body.

When you install the hotfix that is described in this article, ISA Server tries to decrypt the SSL fragments before all the data is received. It then determines if all headers has been received and tries to parse the headers.



RESOLUTION
You must install ISA Server Service Pack 1 (SP1) before you install the following hotfix. For additional information about how to obtain the latest ISA Server service pack, click the following article number to view the article in the Microsoft Knowledge Base:

313139 How to Obtain the Latest Internet Security and Acceleration Server 2000 Service Pack

A supported hotfix is now available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next service pack that contains this hotfix.

To resolve this problem, submit a request to Microsoft Online Customer Services to obtain the hotfix. To submit an online request to obtain the hotfix, visit the following Microsoft Web site:

http://go.microsoft.com/?linkid=6294451

Note If additional issues occur or any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. To create a separate service request, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.   Date         Time   Version            Size    File name --  22-Jul-2003  11:24  3.0.1200.284      178,448  Mspadmin.exe 22-Jul-2003 11:23  3.0.1200.284      103,184  Msphlpr.dll 22-Jul-2003 11:23  3.0.1200.284      392,464  W3proxy.exe 22-Jul-2003 11:23  3.0.1200.284      299,280  Wspsrv.exe This fix also applies to the French, German, Spanish, and Japanese versions of ISA Server.



WORKAROUND
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

You can add a registry value to change the default maximum value for the HTTP request headers. If you are Web publishing a Web site by using HTTPS behind an ISA Server computer and you do not install the hotfix, you may have to change this value from 10 KB to 32 KB (32768 decimal). Microsoft recommends that you install the hotfix because the default value reduces the risk of malicious HTTP requests.

To change the default value, follow these steps:
 * 1) Stop the Web Proxy service.
 * 2) Start Registry Editor.
 * 3) Locate and then select the following registry key:
 * 4) Create a new DWORD value named  . Give this new value a data value of 32768 (decimal).
 * 5) Restart the Web Proxy service.

To return to the original configuration, remove the  registry value. After you make the change, restart the Web Proxy service.

Note If you do not install the hotfix, you may have to increase this value to more than 64 KB depending on how the client encrypts its SSL packets or if the client sends HTTP request headers that are more than 64 KB.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.



MORE INFORMATION
If you add the registry value in the &quot;Workaround&quot; section of this article or apply the hotfix, and the problem still occurs, the error message may have been issued by a different ISA Server computer. For example, the error message may have been issued by an upstream ISA Server computer in your organization. The error message may also have been issued by an external ISA Server computer in an organization that is Web publishing its Web site behind its own ISA Server computer.

To troubleshoot this problem, you can use Network Monitor or review the Web Proxy logs of the ISA Server computers in the request chain. The Web Proxy log of the ISA Server computer that issued the error message contains 414 as the &quot;sc-status&quot; for the request.

Keywords: kbhotfixserver kbqfe kbbug kbfix KB819962

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.