I've been struggling with this prob since a while and I start being desperate to find a solution.
Here's my problem: I have setup a SAP Enterprise Portal which is published via Microsoft ISA. ISA is used to publish the page via HTTPS (only HTTP on SAP EP) and the listener is configured with anonymous and client may authenticate directly. SAP EP is then dealing with the authentication.
We decided to introduce Kerberos to simplify the connection. On SAP side no problem, SPNego Wizard, one restart of the instance and voila. On AD side, we have created the SPN and assigned it to the service account specified in SAP.
Well, it works like a charm (HTTP & HTTPS from IE, Firefox, and Chrome) when you address directly the SAP EP. But, when we try to do it through Microsoft TMG (the new ISA) with the same setup that before (no auth on the listener and client may authenticate) it works w/o a problem with Firefox, and Chrome on HTTPS and HTTP, but on IE it only works if HTTP.
It seems that IE or TMG gets confused with the HTTPS -> HTTP tunneling done by TMG. I checked with Fiddler, and IE is receiving the 401 for Negotiate and is posting the KRB ticket but it fails somehow and fall back to the auth page of SAP.
FYI: The SPN is correct, IE gets it properly but something is then not rolling properly.
