Hey Lutz,
First off, thank you very much for taking the time to look at my thread!
Totally agree with you that the SLC has nothing to do with this. I just get used to adding that info when I open messages/threads about SSO. All our users have that software because most also use the SAPGUI with SNC in addition to the SPNEGO for ICWEB BSP. But I get your point that it is not relevant at all in this case.
Yes, I really meant the version of the SLL (secure login library) which would most definitely be relevant in this case.
As I stated before, the SPNEGO solution to gain SSO access to the CRM ICWEB BSP over the Internet Explorer browser works 99% of the time for my users. For the few times my users get prompted for the login screen at the /sap/crm_logon BSP, if they "refresh" --- hit <F5> in their browser, then they get in just fine. But the whole thing is rare, but I know it happens because it does get reported.
I have tried numerous things. Even going direct to bypass the load balancer. I have 4 application servers behind the load balancer, and I can consistently go to each one direct. Like I said, this is very random. But honestly, when you have 150+ users and you have to tell them a consistent way to reach the application, you can't go around changing things easily.
It's just soooooo random!
1. For sure, I have verified the profile parameters are EXACTLY the same across all the 4 systems. I do not see any inconsistency.
Furthermore, the load balancing does a PRETTY good job sending to each of the 4 all day. So I would get reports MUCH more often if it was as simple as just one of the four have a consistent issue. Again, it works fine 99% of the time!
2. You mention "PC traces"....and a possible broken connection with the request for a Kerb ticket.
Could you please expand on exactly where these traces would be on the PC? I don't know how easy to work with your AD guys are, but mine need quite a bit of direction, so I need to give them something more, like exactly where to look......
I wish I could say any of the things you mentioned as a suggestion for realistically feasible.
http trace...klist....
Because in the real world, with hundreds of users trying to work, there isn't time for that!
would there be any value in the SPNEGO trace?
--NICK