The WinRM client received an HTTP bad request status (400)

When configuring WinRM on servers in the Active Directory domain, I have faced a strange problem. After WinRM service is configured and enabled on the Windows server, and remote connection to it is allowed through Windows PowerShell Remoting, the following WinRM error appears in PowerShell console after the attempt of the remote connection to the server using Enter-PSSession lon-dc1 command:

Also you can see the following error message:

At the same time WinRM ports on the server (5985/HTTP, 5986/HTTPS) respond and accept connections. You can check the availability of WinRM TCP ports using PortQry tool or Test-NetConnection PowerShell cmdlet:

TNC lon-dc1 –port 5985

As it turned out, the problem was relatedted with the large size of Kerberos token of a user due to the user being a member of too many domain security groups. The error appears when the size of the token exceeds 16 KB (see the article Kerberos MaxTokenSize and Security Groups). In our case, it happens in the same way, WinRM server resets the request from a client, since the size of the authentication package header exceeds 16 KB. In the article on the link above we mentioned that the default HTTP header on IIS is no more than 16 KB, and in case of problems with HTTP authentication due to a large user token, it needs to be increased to 64 KB.

To fix the problem, you need to reduce the token size (reduce the number of security groups a user is a member of), and if it is not possible, change the values of the following DWORD parameters on the server registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\HTTP\Parameters .

• MaxFieldLength increase to 0000ffff (65535);
• MaxRequestBytes increase to 0000ffff (65535).

Now just restart your server and check your WinRM connection from the remote client using Enter-PSSession.