FIX: "414 Request-URI Too Large" Error Message from ISA Server

When you are using Internet Security and Acceleration (ISA) Server 2000 in either a Web publishing or a Web proxy scenario, you may receive the following error message when you open or post data to a Web page:

By default, ISA Server permits HTTP requests that have a combined header length of up to 10 KB. If the limit is exceeded, you receive the error message that is described in the "Symptoms" section. For HTTPS, the Transport Layer Security (TLS) 1.0 RFC 2246 (section 6.2.1) and the Secure Sockets Layer (SSL) 3.0 specification state that no single SSL fragment should be more than 2^14 bytes (16 KB). However, certain clients may not follow this specification, or they may send SSL fragments that are close to 16 KB. ISA Server requires a single buffer to decrypt the SSL fragments before it tries to parse the headers.

You may receive the error message when you connect to a Web server that is Web published by an ISA Server computer. The problem may occur in the following situations:

• The client sends an HTTP or HTTPS request with headers, and the request has a combined length of more than 10 KB.
• The client sends a malformed HTTP request that has a combined length of more than 10 KB and that does not separate the request header and the message body with two carriage return and line feed characters. This is typically a POST request because a POST request may contain data in the body.
• The client sends an HTTPS POST request to the Web server, and the combined length of the headers and the body is more than 10 KB.

You may also experience this problem with outgoing Web proxy requests in the following situations:

• The client sends an HTTP request with headers, and the request has a combined length of more than 10 KB.
• The client sends a malformed HTTP request that has a combined length of more than 10 KB and that does not separate the request header and the message body with two carriage return and line feed characters. This is typically a POST request because a POST request may contain data in the body.

When you install the hotfix that is described in this article, ISA Server tries to decrypt the SSL fragments before all the data is received. It then determines if all headers has been received and tries to parse the headers.

You must install ISA Server Service Pack 1 (SP1) before you install the following hotfix. For additional information about how to obtain the latest ISA Server service pack, click the following article number to view the article in the Microsoft Knowledge Base: A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language. The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel. This fix also applies to the French, German, Spanish, and Japanese versions of ISA Server.

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

You can add a registry value to change the default maximum value for the HTTP request headers. If you are Web publishing a Web site by using HTTPS behind an ISA Server computer and you do not install the hotfix, you may have to change this value from 10 KB to 32 KB (32768 decimal). Microsoft recommends that you install the hotfix because the default value reduces the risk of malicious HTTP requests.

To change the default value, follow these steps:

1. Stop the Web Proxy service.
2. Start Registry Editor.
3. Locate and then select the following registry key:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3Proxy\Parameters
4. Create a new DWORD value named
   MaxRequestHeadersSize
   . Give this new value a data value of 32768 (decimal).
5. Restart the Web Proxy service.

To return to the original configuration, remove the registry value. After you make the change, restart the Web Proxy service.

Note If you do not install the hotfix, you may have to increase this value to more than 64 KB depending on how the client encrypts its SSL packets or if the client sends HTTP request headers that are more than 64 KB.

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

If you add the registry value in the "Workaround" section of this article or apply the hotfix, and the problem still occurs, the error message may have been issued by a different ISA Server computer. For example, the error message may have been issued by an upstream ISA Server computer in your organization. The error message may also have been issued by an external ISA Server computer in an organization that is Web publishing its Web site behind its own ISA Server computer.
To troubleshoot this problem, you can use Network Monitor or review the Web Proxy logs of the ISA Server computers in the request chain. The Web Proxy log of the ISA Server computer that issued the error message contains 414 as the "sc-status" for the request.