All,

We have all the settings needed for SPnego on ABAP.  I don't want to go into them here, but as the discussion moves forward I can explain all that!

SOMETIMES.....SOMETIMES when trying to log in via NWBC / WEBGUI and CRM ICWEB, users are presented with login screens.

When NWBC/WEBGUI presents a login screen, it's the typical login screen you would see as if no SSO was setup.

And if I refresh the URL a few times, I will end up getting in without actually putting in any user/pass.

When they see the ICWEB login screen, it's really just a pop up in the browser.  Saying "Windows Security" (at the top) then, in the window, it says:

"The server myCRMhostname.MyDomain.com at SAP Netweaver Application server [SID/CLIENT] requires a username and password."

Then you see a box for the username/password.

Again, just hit 'cancel' a few times and you will get in....

Sooooo strange.  SSO will work great for all users across all PCs for a few hours at a time.  Then it will stop working and we'll get those errors I noted above.

I've done TONS of research on this.  I highly suspect our Microsoft AD network...KDC has a problem, but I know nothing about that side of the house.

There are a few notes out in SAP, and threads out of google searches that talk about the KDC, instead of sending a Kerberos token, will send something called a NTLM token.  And when that happens, you can't login.  But it all comes down to why/how the Kerberos KDC is sending that.

How do you prove / disprove that the KDC is sending a Kerberos token (or a NTLM token) from an SAP ABAP perspective?

Or how else could I effectively trouble-shoot this issue?

I really believe that NW SSO could be great for our environment, but because of all these moving parts it is proving very difficult to troubleshoot when it breaks.

Thanks

NICK