In an explicit proxy deployment, the client sends a Kerberos request, which contains a service principal name (SPN), to the Key Distribution Center (KDC). When the KDC receives the request, it either returns a service ticket or an error message to the client. The KDC returns a service ticket if the SPN is valid and an error message if the SPN is invalid.
To verify if the SPN is valid for a client in an explicit proxy deployment:
klist purge
If the SPN is invalid, then see the KB article Configuring Kerberos Authentication in an Explicit Proxy Environment for further instructions.
See above