Possible cause 1: The integration with Active Directory will use the Identity Source name as a realm.
The realm name for NTLM/Kerberos must match the Active Directory NetBIOS name before single sign-on could work.
Workaround: Make sure the Identity Source for Active Directory name is matching the NetBIOS name of Active Directory.
Possible cause 2: Internet Explorer will only engage an NTLM/Kerberos handshake if the visited site is listed in the trusted zone list.
Workaround: Make sure the Application Workspace Zone is listed in the trusted zone list of Internet Explorer.
Possible cause 3: The Kerberos token exceeds the allowed size.
Note: Application Workspace makes use of the HTTP.sys that is provided with Windows.
Workaround: Follow the steps in HTTP 400 Error Responses to HTTP Requests - Internet Information Services | Microsoft Learn.
