This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 10%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVN%3C/text%3E%3C/svg%3E)
I have an MVC application utilizing ADFS authentication. Authentication for a specific user has been failing over the past few weeks. The SAML response status is 200, indicating successful authentication from the server. Upon inspecting the SAML response for this user, it appears that the user is a member of numerous Active Directory (AD) groups, resulting in the SAML response containing around 250 claim attributes (saml:AttributeValue). Could this large number of claims be causing the issue? Most other users have fewer than 50 claims. Is there a maximum number of groups that a user can be a member of for a successful SAML token? This user was able to log in previously. Is this an issue within the application or could it be an ADFS SAML issue?
As per the documentation https://video2.skills-academy.com/en-US/troubleshoot/developer/webapps/iis/www-administration-management/http-bad-request-response-kerberos
I assume that this is an issue with MaxFieldLength and MaxRequestBytes registry entries in IIS Server. Any idea how to update these values?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(140.8, 7.000000000000001%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERW%3C/text%3E%3C/svg%3E)
You need to remove some groups from that user. Nobody needs to be a member of +250 groups :-)