Kerberos SSO "Request header is too large" exception with Tomcat Application server

Problem

Single Sign on fails with spnegosecurity profile properly setup. In the catalina.yyyy-mm-dd.log file, the following, or similar, error message appears

INFO [http-apr-8080-exec-7] org.apache.coyote.http11.AbstractHttp11Processor.process Error parsing HTTP request header
Note: further occurrences of HTTP header parsing errors will be logged at DEBUG level.
java.lang.IllegalArgumentException: Request header is too large
at org.apache.coyote.http11.InternalAprInputBuffer.fill(InternalAprInputBuffer.java:564)
at org.apache.coyote.http11.InternalAprInputBuffer.parseHeader(InternalAprInputBuffer.java:442)
at org.apache.coyote.http11.InternalAprInputBuffer.parseHeaders(InternalAprInputBuffer.java:318)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1028)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:670)
at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2508)
at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2497)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)

Solution

It is likely that the tokensize of the security tokens of Kerberos were altered to have a bigger size. This can be done by the Kerberos Administrator for various reasons. The server.xml configuration file of the Tomcat server can be altered to handle the tokensize.

The maxHeaderHttpSize parameter can be set to the exact value of the tokensize or higher. If no such parameter is given, the default size of 128 (bit) is used.