In an explicit proxy deployment, the client sends a Kerberos request, which contains a service principal name (SPN), to the Key Distribution Center (KDC). When the KDC receives the request, it either returns a service ticket or an error message to the client. The KDC returns a service ticket if the SPN is valid and an error message if the SPN is invalid.
To verify if the SPN is valid for a client in an explicit proxy deployment:

1. Verify that the browser is configured with the correct hostname.
2.  In the CLI, enter the following command to clear the ticket cache:

      klist purge

3. Enable LSA debug and set up a PCAP to collect the LSA debug on the ProxySG appliance. To enable LSA debug and set up a PCAP, see the KB article Troubleshoot intermittent IWA Direct problems.
4. Start the PCAP on the client and attempt to authenticate to the ProxySG appliance.
5. Stop the PCAP and examine the packets for the request to the KDC. Locate the SPN that the client requested, as well as the KDC’s response. If the SPN is invalid, you will see an error response.

If the SPN is invalid, then see the KB article Configuring Kerberos Authentication in an Explicit Proxy Environment for further instructions.
 

See above