User seeing the following error on the browser:

Appliance Error (internal_error) An unrecoverable error was encountered. "The IWA direct realm encountered an unmapped error code, contact your system administrator."

User is authenticating using Kerberos.

Under the IWA's authentication realm, disable the Kerberos option will cause the user authentication to work fine, in other words, NTLM works fine.

A new service account have been created for the load balanced Kerberos credential under the proxy's IWA.

Based on the LSA logs, it shows the following error:

1738.674 KRB5:  Cannot decrypt ticket for HTTP/[email protected] using keytab key for [email protected] (rd_req_dec.c: 176) (disp_status.c: 156)

This is due to the SPN not being properly register with the service account user.

On the Domain Controller server, run the following "SETSPN" commands.

To view all the SPN that registers with the old service account.

Note: KerberosLBUser is the old service account name, newKerberosLBUser is the new service account name.

setspn -L KerberosLBUser

Note: If the command above list more than one SPN, then you would need to de-register the old service account from all the SPNs and then register all the SPNs with the new service account.

Then de-register the old service account.

setspn -d HTTP/proxy.example.com KerberosLBUser

Then register the new service account.

setspn -A HTTP/proxy.broadcom.com newKerberosLBUser