A domain user attempts to browse to a website hosted on Internet Information Services (IIS).  The website is configured to use Kerberos authentication.  Instead of receiving the expected web page, the user is presented with an error message similar to the following:

HTTP 400 – Bad Request (Request header too long)

This issue may occur when the user is a member of too many Active Directory user groups. When a user is a member of a large number of active directory groups the Kerberos authentication token for the user increases in size. The HTTP request that the user sends to the IIS server contains the Kerberos token in the WWW-Authenticate header, and the header size increases as the number of groups goes up.  If the HTTP header or packet size increases past the limits configured in IIS, IIS may reject the request and send this error as the response.

Resolutions :

  1. Decrease the number of Active Directory groups that the user is a member of.
  2. Modify the MaxFieldLength and MaxRequestBytes registry keys . They are located at HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters.

MaxFieldLength     DWORD     65534

MaxRequestBytes  DWORD     16777216

For more information, please check the Microsoft KB : http://support.microsoft.com/kb/2020943