Do web.config header size limits override http.sys limits in the registry?

Question

I have an ASP.Net 4.0 application using Windows Integrated Authentication on IIS7.5 on Windows 2003.

Some users are reporting errors with this message:

Bad Request - Request Too Long

HTTP Error 400. The size of the request headers is too long.

Others succeed in loading pages but have errors loading other resources and performing AJAX calls.

One of the users experiencing intermittent errors has a Kerberos Authorization header of about 5700 characters. This user is a member of 250 AD groups. My theory is that other HTTP headers (inc cookies) may take the total beyond 8000 characters, which if encoded using UTF16, totals over the default 16KB limit.

This page describes using web.config to configure limits on each HTTP header: http://www.iis.net/configreference/system.webserver/security/requestfiltering/requestlimits/headerlimits

This page describes using registry settings to set limits on HTTP header size and total request size, by default both 16KB: https://support.microsoft.com/en-us/kb/820129

1. Do the web.config settings override the HTTP.sys registry settings?
2. If so, is there a web.config setting for the total request size?

Answer 1

1. The registry one takes high priority as the driver is the entry point of packets. It is also a server wide setting for all incoming HTTP packets.

The request filtering setting only takes effect when the packets are forwarded to IIS pipeline. It can be set at multiple levels to achieve fine grained control.

2. There does not seem to be a setting for that.