HTTP 400 - Bad Request (Request Header too long)HTTP 400 - Bad Request
This may only affect some users, especially those who are members of a large number of Active Directory® groups.
AM does not put a limit on the token size. This issue occurs when the Kerberos token being sent by the browser (in the Authorization: Negotiate section of the HTTP request header) is bigger than the token's
MaxTokenSize setting. This can happen when a user is a member of a large number of Active Directory groups (typically more than 120 universal groups), which results in a much larger token.
The token has a fixed maximum size (
MaxTokenSize) depending on the version of Microsoft® Windows® used to build the token. Transport protocols such as remote procedure call (RPC) and HTTP rely on the
MaxTokenSize value when they allocate buffers for authentication operations.
See Problems with Kerberos authentication when a user belongs to many groups for further information.
You can resolve this issue by setting the
MaxTokenSize registry entry to a larger value on each computer that participates in the Kerberos authentication process, including the client computers.
See Problems with Kerberos authentication when a user belongs to many groups for further information on setting the
MaxTokenSize registry entry.
You can workaround this issue by increasing the max header size in the web application container. You should increase it to a size that will accommodate your expected token sizes. You can capture a HTTP trace when authentication fails to help you determine the size of the token being passed in the header. Otherwise, increasing it to 16KB is a good starting point.
This option may consume more memory; you should test this to determine the optimal size in your environment.
For example, for Tomcat:
- Edit the server.xml file and amend the maxHttpHeaderSize value, for example, to increase it to 16KB: <Connector port="443" maxHttpHeaderSize="16384" protocol="HTTP/1.1" SSLEnabled="true" If this attribute is not present, you should add it with the new value.
See Apache Tomcat 9 Configuration Reference: HTTP Connector for further information.