Token decode error authenticating to Access Manager with Kerberos

Kerberos authentication enabled on Identity Server (IDP) so that users authenticated to Active Directory on the desktop can single sign on (SSO) to the Access Manager IDP server. All users could SSO successfully but randomly (max 5% of the time) users do not get SSO to the IDP server. They would be prompted for credentials via the basic auth popup and end up either looping in this login window, or getting an error that the NTLM token type was not supported.

The log files indicate that there is an issue decoding the kerberos token. The catalina.out file shows

<amLogEntry> 2009-03-10T07:29:47Z SEVERE NIDS Application: AM#200104101:
AMDEVICEID#9749CD8D23EF1829: Error processing SPNEGO/Kerberos : Error while
decoding </amLogEntry>

If, when the problem happens, the user shuts down IE and starts it back up again, it is probable that the user will be able to SSO to the IDP server using kerberos. The problem is not specific to a workstation or a user. It just happens randomly.

Apply 3.0 SP4 IR4. For some reason, in this specific environment, the token from client was not properly base 64 encoded. Changing the base64 decoding library fixed the issue.