Bad Message 431 in a single SP environment

[Kylie Lunghusen]

Hi folks,

We've got a problem in which the Test and Production versions of a particular SP behave differently.

Background:
SP [ORG]-test.[APP].com.au uses our Test IdP
SP [ORG].[APP].com.au user our Production IdP
(Both IdPs defer to CAS/AD for authentication.)

Problem:
Production SP works fine.
On first login to the Test SP, it works. On subsequent logins, it gives the error:
"Bad Message 431
reason: Request Header Fields Too Large"
This behaviour is consistent, and applies across browsers and operating systems.

Investigations so far:
* I'm told the SPs are configured more or less identically.
* requestHeaderSize in jetty.xml is set to 8192 on all of our IdP environments.
* In second-access request headers captured via Dev Tools, the Test headers are usually slightly longer than the Prod ones, but still well below 8192 (eg. Test 7627, Prod 7458).

Only things I can think of are:
* requestHeaderSize is not the only setting (or is the wrong setting) to be checking?
* There are wrappers that make the thing bigger than it looks (like the way an email in transit is bigger than in the inbox)?
* Bytes != characters (I know some characters use two bytes, dunno if that includes any of these ones) so the Test headers really are over 8192?
(Apologies if stupid questions, am learning on the job with no mentor.)

I've failed to answer these questions via Googling, so it's time to ask the folks who know a lot more than I do.

Any ideas on what/where I should be checking?

Thanks,

K



--
Kylie Lunghusen
Technical Tools Administrator, University Operations
Information Technology Services, RMIT University


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180907/5bb30782/attachment.html>