There is a potential misconfiguration of the service principal name assigned to the AD account used for authentication. Typically you would use the DNS name specified in the proxy setting, however, when an alias is used this is not correct. The SPN assigned to the account needs to be the dereferenced alias record.
To verify if this is the issue you've encountered, do the following:
C:\Windows\system32>setspn -L proxyaccount
Registered ServicePrincipalNames for CN=proxyaccount,CN=Users,DC=ws2012,DC=lab:
We can see the alias was specified for the SPN which confirms the misconfiguration.
When testing authentication, you can use the klist command on the client's command line to confirm we are getting a Kerberos ticket: