SPnego and SNC with AES-256 keys

SCN pals,

We have SPnego / SNC setup on both our NW7.31SP07 and NW7.40SP07 systems.

We used the basic steps outlined in the videos:

http://scn.sap.com/docs/DOC-40178

But one thing that I have noticed, is that once I have established a connection into SAPGUI via SNC or WEBGUI via SPNEGO, my ticket in "klist" looks like this:

C:\Users\nwells>klist

Current LogonId is 0:0x5b639

Cached Tickets: (2)

#0>     Client: MY-ID @ MY-DOMAIN.COM
        Server: krbtgt/MY-DOMAIN.COM @ MY-DOMAIN.COM
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x60a00000 -> forwardable forwarded renewable initial pre_authent
        Start Time: 5/20/2015 15:26:53 (local)
        End Time:   5/21/2015 1:26:53 (local)
        Renew Time: 5/27/2015 15:26:53 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96

#1>     Client: MY-ID @ MY-DOMAIN.COM

        Server: krbtgt/MY-DOMAIN.COM @ MY-DOMAIN.COM

        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96

        Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent

        Start Time: 5/20/2015 15:26:53 (local)

        End Time:   5/21/2015 1:26:53 (local)

        Renew Time: 5/27/2015 15:26:53 (local)

        Session Key Type: AES-256-CTS-HMAC-SHA1-96

#2>     Client: MY-ID @ MY-DOMAIN.COM
        Server: SAP/SA-AGC-ABAP-SID@ MY-DOMAIN.COM
        KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
        Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
        Start Time: 5/20/2015 15:26:53 (local)
        End Time:   5/21/2015 1:26:53 (local)
        Renew Time: 5/27/2015 15:26:53 (local)
        Session Key Type: RSADSI RC4-HMAC(NT)

#3>     Client: MY-ID @ MY-DOMAIN.COM

        Server: HTTP/my-hostname.my-domain.com@ MY-DOMAIN.COM

        KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)

        Ticket Flags 0x40a00000 -> forwardable renewable pre_authent

        Start Time: 5/20/2015 15:26:53 (local)

        End Time:   5/21/2015 1:26:53 (local)

        Renew Time: 5/27/2015 15:26:53 (local)

        Session Key Type: RSADSI RC4-HMAC(NT)

Does anyone know why my SAP Kerberos tokens come over as RSADSI RC4-HMAC(NT) ?

When I created the keytab at the OS level, I got this as part of the output:

keytab: KeyTab content stored:

    Version  Time stamp                 KeyType   Kerberos name

          1  Thu May  7 15:42:25 2015   DES       SA-AGC-ABAP-SID@MY-DOMAIN.COM
          1  Thu May  7 15:42:25 2015   AES128    SA-AGC-ABAP-SID@MY-DOMAIN.COM
          1  Thu May  7 15:42:25 2015   AES256    SA-AGC-ABAP-SID@MY-DOMAIN.COM
          1  Thu May  7 15:42:25 2015   RC4       SA-AGC-ABAP-SID@MY-DOMAIN.COM

and in the SPNEGO transaction, I have these listed:

DES-CBC-CRC

DES-CBC-MD5

AES128_CTS_HMAC_SHA1_96

AES256_CTS_HMAC_SHA1_96

RC4-HMAC-MD5

RC4-HMAC-MD5-56

So I would think that I'm covered.

I read this note and applied it in my NW7.31 but it was N/A on 7.40.  I meet the kernel requirements too for both.

1832706 - SPNego ABAP: Fixes for Algorithms AES128, AES256, DES

If I get my AD administrator to click the button for my user SA-AGC-ABAP-SID@MY-DOMAIN.COM that says "This account support Kerberos AES 256 bit encryption" in the account options....NOTHING works!  SPnego just goes back to username/pass, and SNC pops up a message when you try  to login that says "GSS-API(min): A2210217:the verification of the Kerberos ticket failed

target="p:CN=SA-AGC-ABAP-SID"

I also read this note:

1677641 - Kerberos authentication problem (SNG/GSS error a2210217)

but we already have the latest NWSSO2.0 SP05 login library and note 1832706.  I'm certain my user/pass for AD is correct.

Anyway..I know I said a lot....ANY thoughts?

thanks,

NICK