We were experiencing an interesting challenge in our SAP single sign on implementation. We could call SAP RFC functions from the developer machines (passing our SAP logon tickets), but the exact same calls failed when we called them from the IIS server.
Here is a description of the problem from SAP's help literature: 'There is currently technical limitation in the Kerberos implementation from SAP. You can only use Kerberos with the client machine at this time.'
Fortunately, there is a solution. Our security guru solved it by reconfiguring the domain settings on the problematic server. We now have an end-to-end single sign-on solution for our SAP and .NET environments.