I have mycorp.com, ch1.mycorp.com, mycorp2.com domains (it is all windows) I am configuring sso-kerberose-negotiate authentication My server running in mainaaa3.mycorp2.com, I have created spn "http:/mainaaa3.mycorp2.com" for it, and I have set trusts between domains, but if users from mycorp.com, ch1.mycorp.com domains that browser do not send negotiate-ticket, and then I have created spn in each domains for "http:/mainaaa3.mycorp2.com", and now I have error: Mechanism level: Integrity check on decrypted field failed (31)
what am I doing wrong?
The SPN shouldn't have a semi colon in it, you should have "http/mainaaa3.mycorp2.com". That may not be your only problem, however.
You should ask this question on Server Fault instead, as it is not directly related to programming.