The Kerberos token for an AD user will increase in size as the number of group memberships increases. This can increase the size of the Kerberos token beyond the default header buffer size limit set in PingFederate, and cause IWA authentication to fail.
To verify the issue, you must enable additional logging so that the error message related to the issue is displayed in the server.log.
To resolve the issue for versions prior to 6.10, you'll need to add or increase the headerBufferSize element for each connector in the jboss-service.xml file.
<Set name="headerBufferSize">8192</Set> in the pingfederate/server/default/deploy/jetty.sar/META-INF/jboss-service.xml configuration file and change the value from 8192 to 12288. Make sure you change the value for each <addConnector> element.
For PF 6.9 to 7.3:
<Call name="addConnector">[...] <Set name="RequestHeaderSize">8192</Set>
The value 12288 (12KB) is an example used for illustrative purposes. You'll need to look at the size of the Kerberos token causing the problem and make a determination as to the most suitable buffer size for your environment. Increasing the buffer size should not have a noticeable impact on performance.For PF 8.0+:In the file pingfederate/bin/start.ini, find the property jetty.request.header.size and modify it to the appropriate size. This will change the request header size for all Jetty connections.Once the changes to jboss-service.xml, jetty-runtime.xml, or start.ini have been made you will need to restart PingFederate for them to take effect.Note: In a clustered environment, you will need to make these changes on each cluster engine node, replication will not modify this value. It is not necessary to make this change on the Admin Node.For more information on the impact of AD group membership on Kerberos ticket size, please see the following Microsoft Articles:
Kerberos Authentication Problem with Active Directory
Problems with Kerberos authentication when users belong to many groups