In an explicit proxy deployment, the client sends a Kerberos request (TGS Request), which contains a service principal name (SPN), to the Key Distribution Center (KDC). When the KDC receives the request, it either returns a service ticket or an error message to the client. The KDC returns a service ticket if the SPN is valid and an error message such as "unknown principal name" if the SPN is invalid.

To verify if the SPN is valid for a client in an explicit proxy deployment:

1. Verify that the browser is configured with the correct ProxySG hostname.
2.  In the command prompt of the client, enter the following command to clear the Kerberos ticket cache:

      klist purge

3. Start the PCAP on the client and attempt to authenticate to the ProxySG appliance.
4. Stop the PCAP and examine the packets for the request to the KDC. Locate the SPN that the client requested, as well as the KDC’s response. If the SPN is invalid, you will see an error response.
5. If the browser is not able to get the Kerberos token from the KDC, client/browser will proceed with NTLM authentication to the ProxySG.