• The client machine is configured to authenticate with an explicit proxy and the proxy setting is a DNS alias (CNAME record)
• This issue is usually seen when configuring a load-balanced Kerberos user, where we have to set the Service Principal Name (SPN) on the AD account used
• A packet capture on the client machine shows an invalid principal name response

There is a potential misconfiguration of the service principal name assigned to the AD account used for authentication. Typically you would use the DNS name specified in the proxy setting, however, when an alias is used this is not correct. The SPN assigned to the account needs to be the dereferenced alias record.

To verify if this is the issue you've encountered, do the following:

1. Perform an nslookup for the hostname used in the proxy setting to determine if it is an alias.
   
   Example:
   C:\Users\user>nslookup proxy-alias.ws2012.lab
   
   Server:  vm1.ws2012.lab
   Address:  192.168.2.2
   
   Name:    proxy.ws2012.lab
   Address:  192.168.2.3
   Aliases:  proxy-alias.ws2012.lab
   
   In this example, the proxy-alias.ws2012.lab is specified in the proxy setting and is an alias for proxy.ws2012.lab.
   
   
2. Check the SPN assigned to the proxy's account:

C:\Windows\system32>setspn -L proxyaccount
Registered ServicePrincipalNames for CN=proxyaccount,CN=Users,DC=ws2012,DC=lab:
        HTTP/proxy-alias.ws2012.lab

We can see the alias was specified for the SPN which confirms the misconfiguration.

When testing authentication, you can use the klist command on the client's command line to confirm we are getting a Kerberos ticket: