So what did I do? I picked up the phone and asked our "Web Admin" chap,
"What have you done to our poor customer".
‘Nothing Wisefaq, but here’s the answer to the problem:
The customer is a member of 140+ Active Directory Groups, and this is causing the Kerberos token to be far too long for our Apache Web Server to authenticate.’
Once I knew that, I was able to find lots of answers to the problem. Here are some of them:
- 400 Bad Request (Header Field Too Long) when using Kerberos authentication
- Apache Bad Request “Size of a request header field exceeds server limit” with Kerberos SSO
- New resolution for problems with Kerberos authentication when users belong to many groups
Number 3 was the crux of the problem, “when users belong to many groups”. We took the easy way out, and reduced the number of AD Groups the customer was a member of.
Not only was Internet Explorer broken, but any system which used Kerberos, such as our email and document management system.
140+ Active Directory Groups, which were direct membership. I suspect there are some additional nested group memberships in there too.