We are running a Tomcat application behind a IIS 8.5 Windows Authentication Proxy, the redirect is via the tomcat AJP connector.
We now have the problem that on certain clients, the authentication fails with a 401 error, the users get a logon prompt but can not authenticate (IE9, Integrated Windows Auth enabled). There is no problem with their user account since on other machines, affected users can logon fine.
We tried clearing the Temporary Internet files on the clients as well as purging the Kerberos ticket store (CMD -> klist purge), but it didnt help. What helped, however, was deleting the entire user profile from the machine. With a "fresh" user profile, the problem disappears.
Any idea what could get cached in the user profile, preventing the clients from authenticating successfully?
