413 request entity too large

413 request entity too large errors occur when the request body is larger than the server is configured to allow but specific to tomcat IIS combination with SSO as for few users header size value and max_packet_size is getting bigger than what is set in IIS and Tomcat configurations.This happens as header encodes the user’s group membership in the authorization header, so if a user is part of large number of groups or multiple SSL chains gets sent, the header/request becomes very large to get processed by IIS & Tomcat with default set limits. For example by default tomcat has an 8k maximum header, whilst users belonging to many groups can have an authorization token that can swell to larger than this size. This explains why it will work for one user and whilst for other user it might not work.

REFRENCE ERRORS AS SEEN IN LOG FILES:

1. 413 Error in IIS Access log:

2016-11-23 17:13:08 10.231.132.212 GET  /VERY_LONG_URL 443 USERID 10.15.101.221 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/7.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+.NET4.0C;+.NET4.0E;+InfoPath.3) https://VERY_LONG_URL 413 0 0 15

2. 413 Error in ISAPI_REDIRECT.log:

[Wed Nov 23 12:13:09.132 2016] [2556:1060] [error] ajp_marshal_into_msgb::jk_ajp_common.c (511): failed appending the query string
[Wed Nov 23 12:13:09.148 2016] [2556:1060] [error] HttpExtensionProc::jk_isapi_plugin.c (2195): service() failed with http error 413

DETAILED ANALYSIS:

1. User Browser Profiling:

From the browser profiling we were able to see Request Entity Too Large error seen only for the GET requests which are having header sizes more than approx. 5000.

We confirmed the same after analyzing all the failed requests and It was observed that all the failed requests with 413 request entity too large on browser screen and in back end logs had headersSize value greater than 5000 and all successful requests had header size lower than 5000.
Example successful requests header sizes:

The above issue can be solved by making sure higher values are set in regedit for header size. So to solve the headerSize limitation webserver and machine shall have below settings available:
Create the following DWORD values under the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters
MaxFieldLength : 65534
MaxRequestBytes : 16777216

References:
Microsoft KB link: https://support.microsoft.com/en-us/kb/820129

2. Backend error logs analysis:

ajp_marshal_into_msgb::jk_ajp_common.c (511): failed appending the query string

The above error comes due to request exceeding the default maxHttpHeaderSize for HTTP connections or max_packet_size for AJP connections.
This issue can be addressed by changing the following configs in Tomcat, tomcat connectors and IIS.

Tomcat AJP connector:

worker.ajp13w.max_packet_size=65536 in workers.properties file.

Tomcat Server:

In server.xml file.

 <Connector port="8080" protocol="HTTP/1.1" redirectPort="8443" maxHttpHeaderSize="65536" />
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" packetSize="65536" tomcatAuthentication="false" />

In JVM arguments

 -Dorg.apache.coyote.ajp.MAX_PACKET_SIZE=65536

IIS Web Server:

 
maxUrl=”65536”
maxQueryString="2097151"
maxUrlLength=”65536”
maxRequestLength=”20971520”
uploadReadAheadSize="4194304”

 

Detailed Steps To Complete the Changes

1. Login to the Application and open the IIS Manager from the administrative tools.
2. Click on the Website created for the application.
3. Click on Configuration Editor Icon.

4. Navigate as per below screenshot and update the highlighted parameters like below.

 
maxUrl=”65536”
maxQueryString="2097151"
maxUrlLength=”65536”
maxRequestLength=”20971520”

Note: Make sure the same values are updated in both configuration editors. Local site level and Global.

Screenshot 1:

Screenshot 2:

5. maxHttpHeaderSize setting:

Note: Below settings needs to be done in both App and Web Server machine registries.
Create the following DWORD values under the following registry key:

 
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters

MaxFieldLength : 65534
MaxRequestBytes : 16777216

6. max_packet_size setting:

max_packet_size : AJP,SUB Default 8192 : This attribute sets the maximal AJP packet size in Bytes. It should be a multiple of 1024. Configuration values that are not a multiple of 1024 will be aligned to the next multiple of 1024. The maximum value is 65536. If you change it from the default, you must also change the packetSize attribute of your AJP connector on the Tomcat side! The attribute packetSize is available in Tomcat 6.0.2 onwards.
Normally it is not necessary to change the maximum packet size. Problems with the default value have been reported when sending certificates or certificate chains.

The above settings needs to be done in the tomcat-connector and tomcat itself.

Step 1: Set max_packet_size in the worker definition

In the workers.properties file referenced by the tomcat-connection definition, set the packet size to the maximum:

 
worker.<worker name>.max_packet_size=65536

for example:

 worker.ajp13w.max_packet_size=65536

 

Step 2: Set packetSize in the AJP Connector definition

In the server.xml configuration file for tomcat, set the packet size to the maximum:

 
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" packetSize="65536" tomcatAuthentication="false" />

Step 3: In regedit

Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Apache Software Foundation\Procrun 2.0\TomcatService\Parameters\Java and edit java options and add -Dorg.apache.coyote.ajp.MAX_PACKET_SIZE=65536

7. In the middle pane of the IIS application website click on the icon Request Filtering.

8. In the Request Filtering window, click on the Query Strings sub tab and click on Edit Feature Settings in the right most window.

9. This will open Edit Request Filtering Settings page, in that page change maximum query string like below screenshot and click on OK.

10. Select the site which is configured for Application and as well as Global.
• Select Configuration Editor
• Within Section Dropdown, select “system.webServer/serverRuntime”
• Enter a higher value for “uploadReadAheadSize” such as 4194304 bytes. Default is 49152 bytes.

 

Once all above configurations are completed restart complete IIS and Tomcat services to make the change take effect.

 

In case of any ©Copyright or missing credits issue please check CopyRights page for faster resolutions.