Rather, it combines both the NTLM and Kerberos protocols to offer the client a choice on how to authenticate.
Negotiate is like integrated authentication in that it’s not an authentication mechanism unto itself. Therefore, there is no good reason to have more than one TCP endpoint for T-SQL. Unfortunately, SQL Server 2005 treats all the T-SQL endpoints the same (with the exception of the Dedicated Administrator Connection). The idea was to have one connection, from the internal network, with few restrictions, and a second connection, strictly locked down, for the web servers in the DMZ. One of the things I attempted when first experimenting with SQL Server 2005 endpoint security was trying to create a second TCP endpoint for T-SQL and locking down its access. Though it is possible in SQL Server to create more than one TCP endpoint for T-SQL, there’s no point in doing so. It is highly recommend that you use SSL in addition to SPNego, as SPNego does not provide any transport layer security. The Web client requests resources or services from the SAP J2EE Engine and authenticates against the KDC. UME provides the necessary identity management information for authenticating with the Kerberos user. The Web server also needs to be configured to allow anonymous access in order for the SPNego authentication module to be operational.
SAP J2EE Engine, on the other hand, provides access to the resources or services requested by the Web client using Generic Security Service Application Program Interface (GSS-API). The main function of the KDC is to authenticate the user and grant Kerberos Client/Server Session Tickets that are used for the communication between the J2EE Engine and the Web client.
To use SPNego authentication, you are required to configure several systems including the Kerberos Key Distribution Center (KDC), the J2EE Engine and its UME, as well as the Web client. This is supported as of SAP NetWeaver Application Server Java Release AS Java 640 SP 15. SAP J2EE Engine enables the use of the Simple and Protected GSS-API Negotiation (SPNego) mechanism for Kerberos authentication with Web clients. Update: So why was the proxy affecting my Citrix connections? For this the log file provided an answer.In SAP Security Configuration and Deployment, 2009 Using Kerberos Authentication SSO But my bad, the Receiver uses IE proxy settings it seems. I had specifically tried via the Receiver application rather than IE just to avoid any gotchas like this. Googled a lot, read various forum posts, finally came across this blog post that suggested turning off the IE proxy settings. Learnt how to enable Citrix Reciver logging but that didn’t give any errors either (go to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\ICA Client\Engine\Configuration\Advanced\Modules\Logging for 64-bit OS, or HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\Configuration\Advanced\Modules\Logging for 32-bit OS, specify a value for LogFile, and set everything to true). That didn’t help though, and even though I could ping the XenApp servers and connect to ports 14. Dummy error on my part – I had forgotten to set the default gateway in the DHCP scope. Initially I tracked it down to the fact that I couldn’t ping my XenApp servers. Been banging my head on this since yesterday.