Bad RequestThe customer reported that they were unable to access our company intranet site.  They were getting an “400 Bad Request” error from Internet Explorer.

So what did I do?  I picked up the phone and asked our “Web Admin” chap,
“What have you done to our poor customer”.

‘Nothing Wisefaq, but here’s the answer to the problem:
The customer is a member of 140+ Active Directory Groups, and this is causing the Kerberos token to be far too long for our Apache Web Server to authenticate.’

Once I knew that, I was able to find lots of answers to the problem.  Here are some of them:

  1. 400 Bad Request (Header Field Too Long) when using Kerberos authentication
  2. Apache Bad Request “Size of a request header field exceeds server limit” with Kerberos SSO
  3. New resolution for problems with Kerberos authentication when users belong to many groups
    Number 3 was the crux of the problem, “when users belong to many groups”.  We took the easy way out, and reduced the number of AD Groups the customer was a member of.

Bonus information
Not only was Internet Explorer broken, but any system which used Kerberos, such as our email and document management system.
140+ Active Directory Groups, which were direct membership.  I suspect there are some additional nested group memberships in there too.