While configuring a second instance of GroupID in your environment (whether as a client or as a new GroupID machine with existing database), the following error may occur when connecting to the parent GroupID machine:
IIS passes the Negotiate security header when Windows Integrated authentication is used to authenticate client requests. The Negotiate security header lets clients select between Kerberos authentication and NTLM authentication. In this scenario, we have not set SPN, so NTLM is being used whereas it must use Kerberos; that is why we are getting this error.
To enable the Negotiate process to select the Kerberos protocol for network authentication, the client application must provide an SPN, a user principal name (UPN), or a NetBIOS account name as the target name. If the client application does not provide a target name, the Negotiate process cannot use the Kerberos protocol. If the Negotiate process cannot use the Kerberos protocol, the Negotiate process selects the NTLM protocol.
An SPN is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each service instance must have its own SPN. To access the IIS application by using the NetBIOS name, use the following command on the parent GroupID machine:
setspn -a http/ NETBIOS name of GroupID machine domain\username (username must be the service account under which GroupIDApp pool is running)
setspn -a http/ FQDN_OF_IIS_SERVER machine domain\username
This should resolve the issue. If not, please email firstname.lastname@example.org.