Client cannot renegotiate request and returns an HTTP 413 error

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1

If client certificates are enabled on a Web server, Web site, or on individual directories or files on the site, clients might see an HTTP 413 error when uploading large files.

If a client sends a long HTTP request, for example, a POST request, to a Web server running IIS 6.0, the IIS worker process might receive enough data to parse request headers, but not receive the entire request entity body. When the IIS worker process detects that client certificates are required to return data to the client, IIS attempts to renegotiate the client connection. However, the client cannot renegotiate the connection because it is waiting to send the remaining request data to IIS.

If client renegotiation is requested, the request entity body must be preloaded using SSL preload. SSL preload will use the value of the UploadReadAheadSize metabase property, which is used for ISAPI extensions. However, if UploadReadAheadSize is smaller than the content length, an HTTP 413 error is returned, and the connection is closed to prevent deadlock. (Deadlock occurs because a client is waiting to complete sending a request entity, while the server is waiting for renegotiation to complete, but renegotiation requires that the client to be able to send data, which it cannot do).

The solution is to ensure that client is not blocked from sending the entire entity body. To do so, change the value of UploadReadAheadSize to a value larger than the content length.

The following example shows how to set the value for UploadReadAheadSize to 64 KB on the Web server.

cscript adsutil.vbs set w3svc/1/uploadreadaheadsize 65536

Note: Setting the UploadReadAheadSize property above 64KB is not recommended for web sites that do not require client certificate authentication, otherwise you run the risk of allowing an anonymous Denial of Service (DOS) attack. When UploadReadAheadSize needs to be set at a value higher than 64KB, it is recommended that you set the SSLAlwaysNegoClientCert property to True, which will require that the client has a valid client certificate installed.

For more information about UploadReadAheadSize, see UploadReadAheadSize Metabase Property.

For more information see SSLAlwaysNegoClientCert Metabase Property.