Hi Nick, one thing first: this has nothing to do with SLC. SPNego will (should) do without SLC installed on the PC. SPNego is something between Browser, AD Domain Controller and SAP Backend. Did you mean SLL (Secure Login Library) or CCL (Common Cryptolib)?
Nearly all configuration errors that come to my mind cause permanent failure.
Since your issue is a temporary one that vanishes with browser refreshs I would do research into two directions before doing anything else:
1. You have a load balanced environment with many application servers and only one appliction server has a configuration flaw (very improbable if it is really only 1% of the use cases) ? --> compare application servers' profiles
2. Your broken clients have a temporary connectivity issue with their AD domain controller (saturated network, whatsoever ...) at the time they request the Kerberos ticket for your SAP system? --> There should be corresponding error message in the PCs traces. Your AD admin guys should be able to analyze this.
I whish you good luck in hunting this down. If you ever get to see this yourself again try to do an http trace to verify that SAP sends the negotiate header and the Kerberos ticket is sent to SAP. And check if your PC received a ticket for your system at all using command line tool klist.
Regards,
Lutz