Skip to content
This repository was archived by the owner on Apr 27, 2021. It is now read-only.

Known Issues

bsmithvt edited this page Jun 24, 2019 · 11 revisions

This document covers a few known issues you may encounter when running Fabric.Identity on IIS, along with workarounds and estimated releases for fixing the root cause:

Users receive a HTTP 400 - Bad Request (Request Header too long) error when authenticating to Fabric.Identity.

Cause

Users who have a large number of Active Directory groups may encounter this error because group membership details to a cookie and the access token. The more groups someone has, the larger the cookie/access token which get passed in HTTP headers. IIS by default has a 16KB limit on the size of a header in the request. See this Microsoft support article for more details.

Resolution

There are two ways to work around this issue:

  1. The max size of the allowed headers can be increased
  2. Fabric.Identity can filter the groups that are added to the cookie/token during authentication

Below are instructions on how to implement each work around.

Increase Max Header Size in IIS

Increasing the max header size in IIS involves updating the registry and restarting the http service. This will require downtime of your IIS server.

  1. Modify or Create the MaxFieldLength and MaxRequestBytes registry settings located at HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters and set their values to a value that is sufficiently large. The examples below set the values to 24K.
    MaxFieldLength REG_DWORD 24576
    MaxRequestBytes REG_DWORD 24576

These values likely don’t exist, so you’ll have to create them. When they don’t exist they default to 16KB.

  1. Stop the http service: net stop http

This will stop other services that depend on the http service, make note of them so you can restart them.

  1. Start the http service: net start http
  2. Start the services that depend on the http service

Add filters for group names

Fabric.Identity has configuration settings available in the appsettings.json that allow filtering of the AD groups tied to a user so only groups that start with or end with a particular prefix or suffix will be included in the cookie/token. By default Fabric.Identity will not filter groups. To add group filters:

  1. Open the appsettings.json for Fabric.Identity, most likely located in C:\inetpub\wwwroot\identity
  2. Update the FilterSettings object and add prefixes and suffixes, for example:
"FilterSettings": {
    "GroupFilterSettings": {
      "Prefixes": [
          "HC",
          "Health Catalyst"
      ],
      "Suffixes": [
          "HC",
          "Health Catalyst"
      ]
    }

IMPORTANT: You must include the Active Directory domain if applicable (i.e., HQCATALYST\Product Development, not Product Development)

The above settings will only add groups that start or end with "HC" or "Health Catalyst" to the cookie/token. You can add as many prefixes and suffixes as you want.

  1. Save the appsettings.json
  2. Stop and Start the identity app pool

When the app pool is stopped, no requests will be served, so this is best done during downtime maintenance

Targeted Release for permanent fix

None - the expectation is to use the above resolutions to fix this.

ERR_UNEXPECTED Displays briefly before Fabric.Identity page loads

Cause

This is a known issue in the interaction between Google Chrome and IIS running on Windows Server 2016. IIS on Windows Server 2016 by default serves content with http2, but Windows Authentication doesn't support http2 and Chrome isn't handling the http2 to http 1.1 downgrade properly. More information can be found in this bug report.

Resolution

To resolve this issue http2 can be disabled on IIS on Windows Server 2016. This will require restarting the http service so its best to do this during a downtime window.

  1. Add the following registry settingsto HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters
    EnableHttp2Tls REG_DWORD 0
    EnableHttp2Cleartext REG_DWORD 0
  2. Stop the http service: net stop http

This will stop other services that depend on the http service, make note of them so you can restart them.

  1. Start the http service: net start http
  2. Start the services that depend on the http service

Targeted Release for permanent fix

None - the expectation is to use the above resolutions to fix this.

No logs being written to IIS (inetpub/wwwroot/Identity/logs)

Cause

When the ACL of the logs folder or its parent is out of order, the installation script cannot properly grant rights to the logs folder.

Workaround

Manually give the Identity app pool user read/write permissions to the ../inetpub/wwwroot/Identity/logs folder.

Targeted Release for permanent fix

Fabric.Identity 1.4, which corresponds to DOS 18.2.

Fabric.Identity install is not able to grant read rights to private key of CNG based certificate

Cause

The installation script only looks for private keys in the proper location for CSP certificates.

Workaround

There are two workarounds available:

  1. Manually grant the app pool user rights to read the private key of the cert after completing installation.
  2. Use a CSP based certificate

Targeted Release for permanent fix

Fabric.Identity 1.4, which corresponds to DOS 18.2.

Fabric.Identity occasionally fails to start following an installation or upgrade with the following error message (invalid length for base 64 char array)

Cause

Fabric.Identity has a bug on startup where it trims too many characters from the beginning of a string that starts with e, n, or c when attempting to decrypt an encrypted value.

Workaround

Reinstall Fabric.Identity. Only the application needs to be reinstalled here, not the database.

Targeted Release for permanent fix

Fabric.Identity 1.3, which corresponds to DOS 18.1. This will be delivered through a hotfix.

If powershell script execution permissions are not setup properly on a machine, the DOS Installer fails when running a powershell step and does not provide an error message

Cause

In the case where we don't have permission to run scripts, the error logs are not redirected to a file, so there is no feedback to the user that the script failed due to powershell permissions.

Workaround

Ensure powershell script permissions are setup appropriately before running DOS installer.

Targeted Release for permanent fix

Fabric.Identity 1.4, which corresponds to DOS 18.2.

Unable to acquire a delegate token error ({error: {code: 500, message: "Unable to acquire a delegate token."}})

Cause

This typically occurs when an application or service is incorrectly setup. For example, if Metadata Service V2 authorization in IIS is set to use the wrong auth type (set for "Basic", but should be "Anonymous" only).

Workaround

Manually correct any invalid authentication types in IIS. Double check every app and service is using https (Discovery Service and web.config values for "ApplicationEndpoint").

Targeted Release for permanent fix

None - the expectation is to use the above resolutions to fix this.

Unauthorized client error

Cause

The client attempting to get a token from Identity is not properly registered.

Workaround

One reason could be that the client is disabled (ensure the "Enabled" flag for a client within Identity is set to true). Double check the client_id being used is registered with Identity. Double check the client_secret being used.

Targeted Release for permanent fix

None - the expectation is to use the above resolutions to fix this.

Silent Token Refresh Failure (Error message of "silent renew error Failed to parse id_token" in browser console)

Cause

The OIDC Javascript client (oidc-client) is on version 1.5.1, which has a known bug per the link below.

https://github.com/IdentityModel/oidc-client-js/issues/583

Workaround

Upgrade oidc-client to version 1.5.2 or later.

Clone this wiki locally