In a Kerberos enabled IWA authentication deployment, receiving error message "Unable to store Kerberos username and password. The IWA direct realm encountered an unmapped error code, contact your system administrator. Ensure domain is properly (re)joined” when attempting to update the "Set Credentials" under Configuration -> Authentication -> IWA -> IWA Servers [Tab] -> Load-balanced Kerberos.
One of the most common reasons for this issue is SG failed to get a response from DC for its query to fetch an attribute called "msDS-KeyVersionNumber". In short, this attribute specifies the Kerberos version number of the current key for the AD account. In case the DC have permission restrictions to return the value of this attribute, ProxySG cannot update its own keytab file resulting in this error message. It can be validated from a packet capture taken on proxy while trying to set the credentials.
LDAP query to DC:
LDAP response from DC:
The solution is to grant permissions to return the attribute value and limit the privileges to the Kerberos account created on AD.