Request Header Fields Too Large using Windows Login in Application Server

The Message “Request Header Fields Too Large” can appear in Application Servers when using Windows Authentication with our Applications.


  • Version 24.4 or newer
  • Deployment of *.war or *.ear in application server, such as Tomcat


  • Users with large amount of group memberships receive a Request Header Fields Too Large with HTTP status code 431 or 400


  • Since v24.4 the Windows Authentication plugin supports negotiation using Kerbereos tickets. These tickets can get large, depending on the group memberships. See reference

You do one of the following to resolve the issue:

  1. Temporary: In the Login Settings of the applications Configuration Manager, change the Negotiate + NTLM setting to NTLM
  2. Recommended: Change the maximum HTTP request header size in your Application Server (e.g. Tomcat) to, e.g. 64k. Details about how to do this can be found in your application server’s documentation.