Kerberos: can't get TGT for HOST/abc@abc.com - Realm not local to KDC

For MS i still get a logon prompt

Can you clarify? Is this for an IIS-based application?

this is sharepoint that always throws the prompt

At this point, looking at it with WireShark, you should probably see an HTTP request going to SharePoint from APM with a Kerberos ticket in it (an Authorization header). If so, that would indicate that SharePoint is rejecting the ticket.

At this point, looking at it with WireShark, you should probably see an HTTP request going to SharePoint from APM with a Kerberos ticket in it (an Authorization header). If so, that would indicate that SharePoint is rejecting the ticket.

here is the debug for the GSSAPI

adding item to WorkQueue

sid: ctx:0x8d1b978 server address = ::ffff:10.10.10.10

sid: ctx:0x8d1b978 SPN = HTTP/portal.abc.com@ABC:COM

Kerberos: realm for user someone is not set, using server's realm ABC.COM

S4U ======> ctx: , sid: 0x8d1b978, user: someone@ABC.COM, SPN: HTTP/portal.abc.com@ABC:COM

metadata len 409

Could not find SSO domain, check variable assign agent setting

Websso Kerberos authentication for user 'someone' using config '/Common/kerberos:sso_401'

adding item to WorkQueue

Yes That is with the Authorization to always

when authorization turned to 401 there is nothing in the debug and the same for the MS-SPS. That makes it difficult

The debug you're showing is actually normal. You said earlier that you were getting S4U -> OK in the log. If that's still true, can you determine if an HTTP request is being sent to SharePoint with an Authorization header?

Just rebuilt the SSO and SPS works Thanks for your constant inputs

Did you use the same settings as before, with the SPN-formatted username? If so, that should have had the same effect as doing this in the shell:

bigstart restart websso    

Admittedly I forgot to mention that command.