Solved

Single Sign on Issues between Windows 2008 R2 and Redhat Enterprise Linux 5

Posted on 2010-11-11
5
1,262 Views
Last Modified: 2012-05-10
I am having single sign on issues between my W2K8 domain controllers and our appliance running RHEL5.
 
I have created a single sign on account and imported the keytab successfully. However, when I attempt to connect to the appliance webpage using single sign on I get the following error message:

"Request Entity Too Large
The requested resource
/webinterface/SingleSignOn
does not allow request data with GET requests, or the amount of data provided in the request exceeds the capacity limit.
--------------------------------------------------------------------------------

Apache Server at webserver.fqdn Port 443"

We've since figured out that users signing on (not the single sign on account) that are members of 50  or mode AD groups get this error message.

More research has shown that this may be due to the Kerberos 5 PAC size being too big.

So we have immediate options: (from what I can see)
1) Get RHEL5 to not read the Kerberos PAC
2) Find a way to increase the size limit of what RHEL5 (httpd.conf) can accept


For option 1, I found this http://support.microsoft.com/kb/832572 from Microsoft.
But it only applies to Windows 2003 and I cannot find documents that apply to W2K8.
Maybe that UserAccountControl field is already there but I don't know how to manipulate it (comfortably).

For option 2, I searched around the "Request Entity Too Large" documents around several websites.
I did try amending the httpd.conf file and adding a LimitRequestBody field into the configuration as per below:

<Directory />
    Options FollowSymLinks
    AllowOverride None
    LimitRequestBody 102400000
</Directory>

After restarting the service, the fault was still there. I am unsure whether I put this line in the right spot as there was no LimitRequestBody setting in this file prior to me fiddling with it. Maybe someone can give guidance.

If someone has seen this before, or can assist I would be greatly appreciative.
0
Comment
Question by:joedelapaz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 

Author Comment

by:joedelapaz
ID: 34117965
As per option 1 (http://support.microsoft.com/kb/832572)

I would like to try to run my single sign on account without the PAC. Does anyone know how I can set the no_auth_data required flag on this account?

Thanks,
Joe
0
 

Accepted Solution

by:
joedelapaz earned 0 total points
ID: 34118008
found it.

answered my own question.

use adsiedit
 NoAuthDataRequired = 33554432        // 0x2000000  
0
 

Author Comment

by:joedelapaz
ID: 34118087
this has solved the problem. single sign on is now working.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 34824847
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

Free Webinar: AWS Backup & DR

Join our upcoming webinar with experts from AWS, CloudBerry Lab, and the Town of Edgartown IT to discuss best practices for simplifying online backup management and cutting costs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
This article explains how to install and use the NTBackup utility that comes with Windows Server.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question