Users are attempting to use SPNEGO but get an NTLM error. A network trace on port 88 from the client shows that the client is not attempting to call out to the KDC for a Kerberos token.
Resolving The Problem
Here is the flow of actions that IE uses to decide if it should contact the KDC to get a Kerberos token.
The user goes to the URL and the browser gets a request for automatic login via Kerberos. IE checks to see if this site is one that it is configured to send credentials automatically. Here is where the IE internet settings all come into play.
First thing IE checks is it enabled:
The next thing it checks is where can it send this data to and here is where it gets tricky, there are 4 zones where the security policy can be set:
Each of these zones can have its own policy please identify if you have this value set for the following important setting:
Now to make this even more confusing (and this is where it get trickier), are the rules to define what IE considers a intranet zone. When you click on the Intranet zone and then the sites button, rather than getting a list like you do for the other 3 zones you get the following prompt:
If the highlighted option is selected IE will EXCLUDE any site listed in trusted sites. Thus, if the trusted sites policy is configured with "Automatic login only in the Intranet zone", and the site is listed as a trusted site IE will fail the security check, not try Kerberos authentication and prompt the user to supply credentials in what customers often report as a BA login screen, but is actually a NTLM prompt. After the user fills this out WebSEAL will send an error that NTLM is not supported, unless it has been modified to display a custom error page for that error which is actually a forms based login, but that is another topic.
It used to be that trusted sites were treated as intranet sites if they were also on the local intranet.
To get around this odd behavior the you have two easy options:
1) Configure the site as a trusted site, and modify the policy for the trusted zone to "Automatically login with current username and password."
2) Click on the Advanced tab on the intranet sites popup and manually add the site there, leave the policy as it.
Note that both of the above can be configured via group policy in AD.
16 June 2018