I love this feature and encourage all of my customers to implement SPNEGO/Kerberos authentication for iNotes and other Domino HTTP Services.
At one customer, I got the following error message on the Domino console (after enabling some debug parameters):
Accepting the security context (AcceptSecurityContext) requires continuation
I didn’t find anything Domino related, only some API documentations.
The problem was related to the fact, that Kerberos authentication doesn’t really work with DNS alias names (at least in this environment).
In our environment, we used the Domino URL to configure the SPN as described in the documentation.
setspn -a HTTP/domino1.acme.com SERVICEACCOUNT
But the Domino servername was only a DNS alias, not the real machine name. So we just had to register another spn with the “real” windows machine name and now it worked.
setspn -a HTTP/real-windows-name.acme.com SERVICEACCOUNT
You can still use the Domino URL to access the server, no need to use the machine name!
Now it is working and all users can just open a browser url to access their nice iNotes 9 webmail interface. This sounds like a “nice to have” feature, but if users are not longer forced to enter a login (they maybe do not know because http password is not synchronized or for other reasons), it is a tremendous increase of user satisfaction.