SSO Login: IE11 Kerberos token exceeds Tomcat maxHeaderSize
SummaryWhen IE11 users access Pega through the Single-Sign-On URL they experience intermittent HTTP 400 error. FireFox users do not experience any issues.
Error MessagesHTTP 400
Steps to ReproduceConfigure Tomcat 7.0.59 for Kerberos authentication using the SPNEGO Realm.
Root CauseIE11 is sending in the full Kerberos token which ends up being large and exceeds the default Tomcat maxHttpHeaderSize of 8192 (8KB).
Note: The default value in Tomcat 6 for maxHttpHeaderSize is 4096.
ResolutionMake the following change to the operating environment:
Increase the maxHttpHeaderSize in the Tomcat HTTP connector settings.
Published January 31, 2016 - Updated October 8, 2020