“Error 400 – Bad Request” on the client.

If you enable FINE logging on Catalina you
will get the following errors:

Error parsing HTTP request header

Request header is too large

When a user is a member of a large number of active directory groups the Kerberos authentication token for the user increases in size.

The HTTP request that the user sends contains the Kerberos token in the header, and the header size increases as the number of groups goes up.

Enlarge the maxHttpHeaderSize in the connector you use in the tomcat-*/conf > server.xml file.