ISA 2006 Kerberos issues

You receive the following error message when trying to navigate the internet through a 2006 ISA proxy:

414 Request-URL too large. The size of the request header is too large. Contact your ISA server administrator (12215).

kerberosissues

You should start by removing the user from any AD groups that they do not need (especially legacy domain groups). We found that many of the users having issues were in close to 200 AD groups

If this doesn’t work for you or you cannot remove any groups – another optionĀ is to go to:

internet options > advanced and uncheck ‘enable integrated windows authentication’

According to this post, this option isĀ more of a work around (it forces the machine to negotiate via NTLM authentication rather than using Kerberos). I personally prefer not using work arounds and thus the first option is better. Plus if you find yourself in the same position we did (users with 200+ groups) you are in need of some serious AD clean up!

*EDIT* – 7/22/14

Due to a flaw with NTLM, Microsoft has since pushed an update to disable it. This is why you don’t use work-arounds :]

http://redmondmag.com/articles/2014/07/17/critical-active-directory-design-flaw.aspx

http://www.aorato.com/blog/active-directory-vulnerability-disclosure-weak-encryption-enables-attacker-change-victims-password-without-logged/

https://technet.microsoft.com/library/security/2868725

akers8806

Leave a Reply

Your email address will not be published. Required fields are marked *