The AD server must know not to send such big tickets. It can be told by setting the NO_AUTH_DATA_REQUIRED bit in the userAccountControl attribute of the server's entry in AD's LDAP.

We did this initially with a GUI ldap editor, but ldapmodify can do it too. The way to set a particular bit is to compute the new value for the entire attribute outside ldapmodify. As a side note, here's how to search for bit fields, and how to filter on them.