SAP SSO, KErberos and Active Directory

Guys,

First of all I am not a SAP person, but working in the network department. So sorry if I don't use the appropriate words for my question.

My company is using SAP for different services.

A few months ago the SAP team installed SSO so we don't need to authenticate anymore. We logon on in the morning in AD, and then when we click the SAP link Kerberos is doing this job and we are authicated. It works fine.. but we don't have any other consulting budget to go to phase 2.. which is my question.

We have remote sites not connected to are LAN/WAN. The come to see us via a VPN/SSL architecture. This product is able to authenticate the users, and then do somme Kerberos SSO. It is based on Kerberos Constained Delegation. User authenticate, and when they click on SAP, the Gateway ask for a TGS, get it, and then send it to the sap machine.

Here is my problem... it does not work.

What I can see from the getway is that I get my TGS, send it to SAP and then connection refused.

I don't undestand why it happens on the SAP part.

Here is my question : How can I deep debug the authentication part on SAP ? Is my TGS ok ? What part is wrong ? Options, ... ? So I am blind, with no budget to hire an expert on this.

If you could advise me that would be great.

Best regards, and many thanks.

Fred