SSO and Kerberos Token Size
I will try and explain this and hopefully make sense. We are an EPM 11.1.2.0 (yes, 2.0) HFM, FDM, Reporting Server environment. Recently added SSO so individuals logging into HFM can do so without entering an id/pwd, a Kerberos ticket is passed.
This works fine for 99+% of our users, however we have 2 (so far) that because they exist in many Active Directory groups (many which are nested (group within a group)) their Kerberos token is too large and the SSO process generates a 401-Bad Request. If the user removes themselves from a number of groups the SSO ticket will work and they can use SSO into HFM. The Windows 2008 servers have the MaxTokenSize already increased in the registry.