Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. FIX: HTTP cookie headers are not forwarded to the published server in Forefront Unified Access Gateway 2010 when the total cookie header size in the client request exceeds 5,120 bytes

FIX: HTTP cookie headers are not forwarded to the published server in Forefront Unified Access Gateway 2010 when the total cookie header size in the client request exceeds 5,120 bytes

View products that this article applies to.

Symptoms

Microsoft Forefront Unified Access Gateway (UAG) 2010 does not forward the HTTP cookie header to the published server when the total cookie header size in the client request exceeds 5,120 bytes (5 KB).
This problem is caused by a Forefront UAG HTTP header parsing function when the total length of all HTTP cookie headers in the request exceeds the limit of the Forefront UAG maximum cookie header length buffer. When this cookie header length value is too large, the function returns a NULL cookie header in the request that is forwarded to the published resource. 

↑ Back to the top

Resolution

To resolve this problem, install the service pack that is described in the following Microsoft Knowledge Base article:

2744025 Description of Forefront Unified Access Gateway 2010 Service Pack 3

↑ Back to the top

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Although the size of a single cookie that a web browser sends can be 4 KB, the total request cookie header size may be larger because this total size may include multiple cookies or even multiple cookie headers. In addition, external applications that create lots of individual cookies may generate the client HTTP request, and this increases the total HTTP cookie header size. 

Active Directory Federation Services (AD FS) 2.0 claims authentication that is configured for a Forefront UAG trunk together with a published Microsoft SharePoint application also use claims authentication. This is true especially in the case in which there is a federated AD FS implementation. In this particular scenario, the total cookie header length can become fairly large. If the client request cookie header is not forwarded appropriately to the published AD FS or SharePoint application, the user may experience intermittent authentication failure or additional AD FS realm selection pages.

Because there may be multiple scenarios that result in a client request that has a total cookie header size greater than 5,120 bytes, Forefront UAG was changed to handle these requests appropriately.

↑ Back to the top

References

For more information about Http.sys settings for Windows, go to the following Microsoft TechNet website:

Http.sys registry settings for Windows
For more information about cookies in Internet Explorer, go to the following Microsoft TechNet website:

Number and size limits of a cookie in Internet Explorer
For more information about the RFC 2109 specifications, go to the following websites:

Internet Engineering Task Force (IETF) RFC 2109 specifications

World Wide Web Consortium (W3C) RFC 2109
For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

↑ Back to the top

Keywords: kbqfe, kbfix, kbnotautohotfix, kbexpertiseinter, kbsurveynew, kbbug, kb

↑ Back to the top

Article Info
Article ID : 2812389
Revision : 1
Created on : 1/7/2017
Published on : 2/20/2013
Exists online : False
Views : 326