Environment
NetIQ Access Manager 3.2
NetIQ Access Manager 3.2.2
NetIQ Access Manager 3.2.2IR2
Situation
- NIDP server has been protected by an Access Gateway Proxy service (placed behind the NIDP server)
- NDIP server does not log any error message in the catalina.out
- The configured fall-back authentication method comes up in case the browser client does not pass a kerberos service ticket
- NIDP connector configuration has been adjusted with tomcat directive: maxHttpHeaderSize="32768"
- running the Apache in debug mode in the Access Gateway logged
the following entry in the error_log file: "400 Bad Request “Size of a
request header field exceeds server limit”
Resolution
- add the following Apache core server directive the the Access Gateway "Advanced Options" setting: "LimitRequestFieldSize 32768"
- to avoid allocating to much memory you might try to calculate the exact size of the kerberos service ticket Microsoft TOKENSZ utility on your workstation running: "tokensz /compute_tokensize"
- Review as well: https://www.netiq.com/communities/cool-solutions/kerberos-authentication-may-fail-access-manager-identity-server-users-large-group-members/ for further details