Status 400 "bad request" occurs logging in to Domino using SPNEGO
Attempts to connect to a Domino server over HTTP result in a status 400 error "Bad request" for some users who are authenticating to Domino through SPNEGO.
When a web user connects to Domino, the browser sends an HTTP header with the SPNEGO login information in a Kerberos token. Domino reads the information and uses it to authenticate the user with Active Directory, and then it sets an LTPA token for the user, providing authentication with Domino. However, if the HTTP header is longer that 16KB, this will fail, resulting in a status 400 error. This is because Domino has a default HTTP header size limit of 16KB (16,384 bytes).
Diagnosing The Problem
The size of a user's Kerberos token can be estimated with a formula
provided in the following Microsoft knowledge base article
TokenSize = 1200 + 40d + 8s
This formula uses the following values:
d: The number of domain local groups a user is a member of plus the
number of universal groups outside the user's account domain plus the
number of groups represented in security ID (SID) history.
s: The number of security global groups that a user is a member of plus
the number of universal groups in a user's account domain.
1200: The estimated value for ticket overhead. This value can vary
depending on factors such as DNS domain name length, client name, and
Resolving The Problem
Decreasing the number of Active Directory groups that the user is a member
of will result in a shorter header, and thus resolve the problem.
You may also increase the default header size in Domino by updating the server document. This is set in the server document in the field "Maximum size of request headers" found under Internet Protocols -> HTTP -> HTTP Protocol Limits