Here errors are explained that were not covered in the blogs. Feel free to add more:
The following errors were mentioned in Configuring and troubleshooting SPNego -- Part 3:
NTLM token received
Windows integrated authentication is not enabled
Clock skew too great (37)
Integrity check on decrypted field failed (31)
Acquiring credentials for realm failed
(Sun has released JDK 1.4.2_17 -- but it seems to have still the same bug)
KDC has no support for encryption type
Length octets must contain values [0x01;0xFF]. Found 0 // Integrity check on decrypted field failed (31))
Single Sign On was not working in this case. From the logs you could see that a Kerberos Token was sent from the client, but then you got the error: Length octets must contain values [0x01;0xFF]. Found 0.
Further down the error CreateContext failed: GSSException: Failure unspecified at GSS-API level (Mechanism level: Integrity check on decrypted field failed (31)) was shown.
As it turned out the ServicePrincipalname (setspn -A ...) was set for a different user and not the one used during the SPNego Wizard installation. So make sure that if you run ldifde -r (serviceprincipalname=HTTP/...) you really get the user you used in the Wizard.
Service User is locked in ADS
Firewall settings: J2EE Engine is unable to connect to KDC
Firewall settings GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
SocketTimeOutException with attempt: 3(screenshots will follow soon)
J2EE Engine configured with SSL (HTTPS)
Although the J2EE Engine is accessed with HTTP the setting for the ServicePrincipalname still has to be HTTP/servername (and not HTTPS/servername). If not HTTP/servername is used, then no Kerberos Ticket will be created an for the user.
IE7 - Kerberos issue
If you are using IE7 and Kerberos don't work (check it with Kerbtray) this fix may help you: