All,
We have all the settings needed for SPnego on ABAP. I don't want to go into them here, but as the discussion moves forward I can explain all that!
SOMETIMES.....SOMETIMES 
when trying to log in via NWBC / WEBGUI and CRM ICWEB, users are presented with login screens.
When NWBC/WEBGUI presents a login screen, it's the typical login screen you would see as if no SSO was setup.
And if I refresh the URL a few times, I will end up getting in without actually putting in any user/pass.
When they see the ICWEB login screen, it's really just a pop up in the browser. Saying "Windows Security" (at the top) then, in the window, it says:
"The server myCRMhostname.MyDomain.com at SAP Netweaver Application server [SID/CLIENT] requires a username and password."
Then you see a box for the username/password.
Again, just hit 'cancel' a few times and you will get in....
Sooooo strange. SSO will work great for all users across all PCs for a few hours at a time. Then it will stop working and we'll get those errors I noted above.
I've done TONS of research on this. I highly suspect our Microsoft AD network...KDC has a problem, but I know nothing about that side of the house.
There are a few notes out in SAP, and threads out of google searches that talk about the KDC, instead of sending a Kerberos token, will send something called a NTLM token. And when that happens, you can't login. But it all comes down to why/how the Kerberos KDC is sending that.
How do you prove / disprove that the KDC is sending a Kerberos token (or a NTLM token) from an SAP ABAP perspective?
Or how else could I effectively trouble-shoot this issue?
I really believe that NW SSO could be great for our environment, but because of all these moving parts it is proving very difficult to troubleshoot when it breaks.
Thanks
NICK