I have a problem with Kerberos SSO authentication in Windows 2003 server.EP send a SAP logon ticket to Browser as cookie MYSAPSSO2.LsaLogonUser handle is correct and there is an error in Kerberos protocol:

KDC_ERR_S_PRINCIPAL_UNKNOWN.

I have an WeBSite in IIS: WebDAV where I publishing a virtual directory in IIS.The KerbMap filter is installed correctly(green indicator).

I think there is a problem with SPN. My logon ID is testowy and this is parameter(UserPrincipalName) for user KUKA in WIN2003.I try to register for this account a SPN like http/orkan when "orkan" is a host name but it doesn't work.I still have an error KDC_ERR_S_PRINCIPAL_UNKNOWN.

I know that should be SPN like: service_class/host but which service class should I use? http? www? w3svc? or something else.

Best regards

Rafa³