Bad Request exception from Zervicepoint Powershell Management commands

Problem

You may receive a Bad Request response when trying to use ZervicePoint Powershell Management commands using specific user accounts.

Console output typically looks like the following:

PS > Get-ZPService

Get-ZPService : Bad Request
At line:1 char:1
+ Get-ZPService
+ ~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-ZPService], Exception
    + FullyQualifiedErrorId : Zipper.ZervicePoint.WebApi.PowerShell.GetZPServiceCommand

Cause

The most likely cause of this error is that the security token passed in the authorization header of the request exceeds the MaxFieldLength and/or MaxRequestBytes settings.

This issue may occur when the user is a member of many Active Directory user groups. When a user is a member of a large number of active directory groups the security token for the user increases in size. The HTTP request that the user sends to the IIS server contains the security token in the Authorization header, and the header size increases as the number of groups goes up. If the HTTP header or packet size increases past the limits configured in IIS, IIS may reject the request and send this error as the response.

Solution

To work around this problem, choose one of the following options:

  • Decrease the number of Active Directory groups that the user is a member of
  • Modify the MaxFieldLength and the MaxRequestBytes registry settings on the IIS server so the user's request headers are not considered too long. To determine the appropriate settings for the MaxFieldLength and the MaxRequestBytes registry entries, use the following calculations:

  • Get the size of the user's security token using the following command:

(Get-ZPSecurityToken).TokenXml.OuterXml.Length
  • Configure the MaxFieldLength and the MaxRequestBytes registry settings on the IIS server with a value of 4/3 * T, where T is the user's token size, in bytes. HTTP encodes the token using base64 encoding and therefore replaces every 3 bytes in the token with 4 base64 encoded bytes. Changes that are made to the registry will not take effect until you restart the HTTP service. Additionally, you may have to restart any related IIS services. The MaxFieldLength and MaxRequestBytes values are located under the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters