When a user logs into the SMP they receive the error: HTTP 400 - Bad Request (Request header too long)

HTTP 400 - Bad Request (Request header too long)

This is an error generated from IIS. This is usually caused by the user being in hundreds of AD groups and therefore increasing their Kerberos token size to a size that is over the limits created in IIS

In an nut shell here is the issue.  During authentication a Kerberos token is passed to the server needing authentication. The more groups a user is a member of the larger that user’s token is going to be.   While 2012 does allow for a very large token (48KB), IIS still limits it’s overall request size to 16KB which include both the URL and the Kerberos token. 

Once the request size and field lengths are set to allow more data in the request, the issue will be resolved.  

Follow this document and adjust the IIS settings until you are happy with the response.

http://support.microsoft.com/kb/2020943

One customer found some workarounds, rather than contacting Microsoft to find out the cause of the Kerberos related authentication issue:

1. RDP to the NS and access the NS Console by using http://localhost/altiris  (name / FQDN does not work)
2. Access the NS Console remotely using the IP Address of the NS instead of name