Exchange Active Sync not working for some users due to Kerberos Token Bloat

Problem

  • You have deployed Exchange or are in the middle of a migration from an older version.
  • You discover that Active Sync is not working for some users, but it’s working fine for other users
    • In my case I was migrating from Exchange 2007 to Exchange 2013.

    Other Symptoms

    • HTTP Proxy Log contains the following error
      • WebExceptionStatus=ProtocolError;ResponseStatusCode=400;WebException=System.Net.WebException: The remote server returned an error: (400) Bad Request.

      Cause

      The problem in my case was a Kerberos Token Bloat cause by the affected users being a member of a larger number of Active Directory Groups (in my case 150)

      As per this Technet article:

      “This issue may occur when the user is a member of many Active Directory user groups. When a user is a member of a large number of active directory groups the Kerberos authentication token for the user increases in size. The HTTP request that the user sends to the IIS server contains the Kerberos token in the WWW-Authenticate header, and the header size increases as the number of groups goes up.  If the HTTP header or packet size increases past the limits configured in IIS, IIS may reject the request and send this error as the response.” read more