400 Bad Request and Internet Explorer.

Bad RequestThe customer reported that they were unable to access our company intranet site.  They were getting an "400 Bad Request" error from Internet Explorer.

So what did I do?  I picked up the phone and asked our "Web Admin" chap,
"What have you done to our poor customer".

‘Nothing Wisefaq, but here’s the answer to the problem:
The customer is a member of 140+ Active Directory Groups, and this is causing the Kerberos token to be far too long for our Apache Web Server to authenticate.’

Once I knew that, I was able to find lots of answers to the problem.  Here are some of them:

  1. 400 Bad Request (Header Field Too Long) when using Kerberos authentication
  2. Apache Bad Request “Size of a request header field exceeds server limit” with Kerberos SSO
  3. New resolution for problems with Kerberos authentication when users belong to many groups
    Number 3 was the crux of the problem, “when users belong to many groups”.  We took the easy way out, and reduced the number of AD Groups the customer was a member of.

Bonus information
Not only was Internet Explorer broken, but any system which used Kerberos, such as our email and document management system.
140+ Active Directory Groups, which were direct membership.  I suspect there are some additional nested group memberships in there too.