2825947 - Windows AD SSO fails with a logon screen or various generic error messages

• After following the steps to setup AD SSO in KBA 2629070, older systems using KBA 1631734, on unix/linux KBA 1965433 users land on a logon screen or receive an error
• If looking at web/app tracing, vintela logs, tomcat stderr.log, or a packet scanner on the client, there are no clear errors to identify the cause of the failure
• A message shown in the web/app log that may also appear in the vintela.log or stderr.out  "Message: idm.allowNTLM=false but client tried to do NTLM regardless"
  
• A recent failure picked up this failure in a packet scan "error-code: eRR-S-PRINCIPAL-UNKNOWN (7)" for this the TGT not an actual principal "SNameString: krbtgt"
• KBA's used to troubleshoot this 2820819, 2684843, or 1969914. 
• A list of possible errors is below but note it may just fail with a logon screen or another error that hasn't been added to the list yet.

HTTP Status 500 - com.wedgetail.idm.sso.ProtocolException: com.wedgetail.idm.spnego.server.SpnegoException: GSSException: Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosException: Could not decrypt service ticket with Key type ##, KVNO ##, Principal HTTP/yyy.xxx.xxx.local using key: Principal: [1] service acount KVNO: ## EncType: ## Exception for this key was: com.dstc.security.kerberos.CryptoException: Integrity check failure[Note: principal names are different; this may or may not be a problem] [Note: KVNO used wildcard match, not exact match; perhaps the password used to generate this key is not the most recent password?

KRB Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN

Packet scan shows NTLMSSP_NEGOTIATE

SAP Businessobjects Business Intelligence Platform 4.x 4.1 4.2 4.3 (all versions or BI and patches)

emkba biauth single sign on automatic logon spnego negotiate kerberos active directory microsoft account workstation , KBA , BI-BIP-AUT , Authentication, ActiveDirectory, LDAP, SSO, Vintela , Problem