Cannot authenticate by using NTLM

Cannot authenticate by using NTLM
When you attempt to access a Web security server, you receive the following error messages:
DPWWA2403E Your browser supplied NTLM authentication data. NTLM is not supported by WebSEAL. Ensure that your browser is configured to use Integrated Windows Authentication.
WebSEAL does not support NT LAN Manager (NTLM) authentication. Some browsers support NTLM authentication only or are configured to send NTLM authentication tokens instead of SPNEGO tokens. A browser that supports SPNEGO might be sending NTLM tokens for the following reasons:
Microsoft Internet Explorer is not configured with the WebSEAL server in the Trusted sites or Local intranet zone.
Microsoft Internet Explorer is not configured for Integrated Windows Authentication.
The client workstation and the WebSEAL server might be a member of different Active Directory domains (Kerberos realms).
The client workstation is not logged in to the Active Directory domain.
The client workstation is not specifying the correct host name to access the WebSEAL server. The value specified for the -princ option of the ktpass command must be the same host name that client uses to contact the Web security server. For example, for clients to contact the Web security server at https://diamond.subnet2.ibm.com and the Web security server is in the IBM.COM Kerberos realm, specify the following value for the -princ option:
HTTP/diamond.subnet2.ibm.com@IBM.COM

Under certain circumstances, clients cannot be prevented from sending NTLM authentication tokens. Under these circumstances, we might not be able to directly use SPNEGO authentication with the WebSEAL server. Instead, we can configure the Web Server Plug-in for IIS to serve as an e-community SSO (ECSSO) master authentication server (MAS). In this configuration, the Web server plug-in must be configured to support both NTLM and SPNEGO tokens. The WebSEAL server now receive ECSSO tokens from the MAS.
Parent topic: Unable to authenticate