IBM Support

Status 400 "bad request" occurs logging in to Domino using SPNEGO



Attempts to connect to a Domino server over HTTP result in a status 400 error "Bad request" for some users who are authenticating to Domino through SPNEGO.


When a web user connects to Domino, the browser sends an HTTP header with the SPNEGO login information in a Kerberos token. Domino reads the information and uses it to authenticate the user with Active Directory, and then it sets an LTPA token for the user, providing authentication with Domino. However, if the HTTP header is longer that 16KB, this will fail, resulting in a status 400 error. This is because Domino has a default HTTP header size limit of 16KB (16,384 bytes).

Diagnosing The Problem

The size of a user's Kerberos token can be estimated with a formula
provided in the following Microsoft knowledge base article

TokenSize = 1200 + 40d + 8s

This formula uses the following values:
d: The number of domain local groups a user is a member of plus the
number of universal groups outside the user's account domain plus the
number of groups represented in security ID (SID) history.
s: The number of security global groups that a user is a member of plus
the number of universal groups in a user's account domain.
1200: The estimated value for ticket overhead. This value can vary
depending on factors such as DNS domain name length, client name, and
other factors.

Resolving The Problem

Decreasing the number of Active Directory groups that the user is a member
of will result in a shorter header, and thus resolve the problem.

You may also increase the default header size in Domino by updating the server document. This is set in the server document in the field "Maximum size of request headers" found under Internet Protocols -> HTTP -> HTTP Protocol Limits

Document information

More support for: IBM Domino

Component: Web Server

Software version: 8.5.3

Operating system(s): Windows

Reference #: 1584846

Modified date: 05 September 2018