Some content on this site is available only to logged-in subscribers. Contact Us for information on becoming a subscriber.

InSource.Solutions | InSource Training | InSource Client Portal
InSource Solutions Logo
Log In Sign Up
InSource.Solutions InSource Training InSource Client Portal Log In Sign Up
  • Home
  • AVEVA Application Server
  • AVEVA Application Server Tech Notes

TN - SP121605 Resolving Failure to Configure System Management Server

Last updated: March 4th, 2026

Description

  • Author: James Rochester
  • Published: March 4th, 2026

Details:

Description

This article from InSource shows how to install System Platform 2017 Update 1 on MS Windows Server 2016.

  • Author: James Rochester
  • Published: 12/16/2025
  • Applies to: System Platform 2023 +, Citect, Plant SCADA

Details

If you encounter the following error in the Log Viewer while configuring System Management Server (SMS) using a domain user that is a member of many domain group or multiple nested groups. In the configurator you may simply see the message Failed to configure the device.

Component::ArchestrA.CertficateManager:


Failed to add solution 'Archestra_<MACHINENAME>'. ErrorCode: BadRequest, ErrorMessage: Bad Request : <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Bad Request</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Bad Request - Request Too Long</h2>
<hr><p>HTTP Error 400. The size of the request headers is too long.</p>
</BODY></HTML>
 

This issue may occur if the user is a member of many Active Directory user groups.

The HTTP request to the server contains the Kerberos token in the WWW-Authenticate header. The header size increases together with the number of user groups. If the HTTP header or packet size increases past the limits that are configured on the server, the server may reject the request and send an error message as the response.

In order to configure SMS, the user must be a member of local Administrators or aaAdministrators group.
Resolution:

Follow the below steps to modify the User Group Filters:

Add the user to any one of these groups. Lets say user has been added to aaAdministrators.

Edit the file C:\Program Files (x86)\AVEVA\Platform Common Services\Management Server\appsettings.json on the System Management Server machine.

This file has a field "UserGroupFilters" which can be set up to filter the user groups which are essential for authorization. Add aaAdministrators group as mentioned below:
 

"UserGroupFilters": [
"aaAdministrators"
],

Save the file, restart the Aveva Identity Manager service on the SMS node and try registering using a user member of many domains.

 

configuring fixing
Give feedback about this article

Recommended articles

[ISS Support Case] PLC Communication Failure

Client reached because after user migrated the Galaxy none of the tags are communicating.

Read More

[ISS Support Case] Platform Deployment Failure

Client reached out as when user was attempting to deploy WinPlatform user was receiving the following error: "Cannot find the target PC on the network OR target PC can not communicate back to the Galaxy Repository using the NIC that is top in the binding order."

Read More

[ISS Support Case] Unknown Error

Unknown errors in the logger: Error Focus WWPackageServer Failed to deploy code modules for object[4140] Error: "'Error failed to deploy code modules to target" when deploying objects to another node. The AppServer Enterprise PC's have fixed IP addresses, are part of a workgroup, and there are no WINS or DNS or Host files. Reinstall AppServer on target node. This will redeploy the bootstrap and resolve the IP address issues. From aaPim Access Denied. (80030005) raised at line 4283 in PimPF.cpp (in D:\BldSrc1\178\s\src\PlatformInstallManager\WWPim\). Summary As previously noted in Tech Note TN10225, security improvements made in System Platform 2017 Update 3 included changes made to the user accounts and groups to utilize Virtual Service Accounts. These accounts and groups are needed for Wonderware products to function properly. Some customers have policies to eliminate unrecognized accounts and groups. This Tech Alert highlights information about the importance of the aaPim account's group membership. Situation aaPIM is the platform installation manager that is responsible for installing platforms. In previous versions aaPIM is launched on demand as a process with Adminintrator privilege. However, in System Platform 2017 Update 3, it is changed into a windows service and added to the Administrators group as a service account. It's important not to remove the NTService\aaPim account from the Administrators group unless you follow recommendations outlined in TN10297 Managing Service Accounts with Group Policy for System Platform 2017 Update 3. Symptoms If aaPim is removed from the Administrator group on System Platform 2017 Update 3, AppServer Deployment will fail. The error message will be similar to this: Error: Failed to deploy RemotePlatformName : Remote Node's UserId/Password don't match GR Node's Action Use exceptions in your IT Policies or Scripts to not delete the required Virtual Service Accounts or follow workaround recommendations outlined in TN10297. From

Read More
Support Icon

CONTACT SUPPORT

How to reach us

10800 Midlothian Turnpike Tpke, Suite 209, Richmond, VA 23235

1.877.INSOURCE

Technical Support - 1.888.691.3858

Contact Us

  • InSource Solutions
  • InSource Training
  • InSource Client Portal
  • Log In
InSource Solutions Logo

© 2026 InSource Solutions. All Rights Reserved.

Knowledge Base Software powered by Helpjuice

Expand