Alexander, If you are using authorisation header, then you are using SPNGEO. This header encodes the users group membership in the authorisation header. By default tomcat has an 8k maximum header, whilst users belonging to many groups can have an authorisation token that can swell to larger than this size. This explains why you see some people can login and others can't.
Just change the maxHttpHeaderSize to something larger than the default 8k and you should be set. We used 32k Chris
