Apache Bad Request "Size of a request header field exceeds server limit" with Kerberos SSO

My gut says you've got a very large security token, possibly because the user is a member of a large number of groups. The AD Kerberos implementation is going to provide Apache with a Privilege Attribute Certificate (PAC) by default. This structure can be large if the user is a member of a significant number of groups. You can use the tokensz.exe tool to see the user's token size.

If this is the problem you can modify the UserAccountControl attribute of the user's account to prevent the PAC from being sent.

You may be able to get away with modifying your /etc/krb5.conf file to reference the KDC as kdc = tcp/kdc.name.here. This problem can occur if the PAC causes the token to be too large for a UDP datagram, but forcing the communication to the KDC with TCP is a possible workaround, too.

Changing that value on 1,000 users isn't difficult for your AD admins if it solves your problem.


I found another solution, though I'm not sure if it really works. Apache Docs states that for big packages I'll have to set LimitRequestFieldSize and/or LimitRequestLine .

The thing is that if you want to set the value of LimitRequestLine to anything higher than 8KB then you'll have to modify the source and recompile Apache, as 8KB is the fixed maxSize (http://httpd.apache.org/docs/2.2/mod/core.html#limitrequestline).

I don't know for sure if this method works, because I reinstalled apache from our own repository on a second server later. It seems that this was a different package version as the problem didn't occur there.


I had this error happening on a Drupal 7 site in Safari on Mac and found that closing the browser windows and clearing the cache of the browser, quitting the browser, opening it back up and reloading the page worked to discontinue the error which has only happened this one time.

Bad Request Your browser sent a request that this server could not understand. 
> Size of a request header field exceeds server limit. Cookie /n


In case anyone hits this problem with mod_proxy_ajp, take a look at: From which Apache version onward is LimitRequestFieldSize no longer hardcoded to 8k max?