User seeing the following error on the browser:
Appliance Error (internal_error) An unrecoverable error was encountered. "The IWA direct realm encountered an unmapped error code, contact your system administrator."
User is authenticating using Kerberos.
Under the IWA's authentication realm, disable the Kerberos option will cause the user authentication to work fine, in other words, NTLM works fine.
A new service account have been created for the load balanced Kerberos credential under the proxy's IWA.
On the Domain Controller server, run the following "SETSPN" commands.
To view all the SPN that registers with the old service account.
Note: KerberosLBUser is the old service account name, newKerberosLBUser is the new service account name.
setspn -L KerberosLBUser
Note: If the command above list more than one SPN, then you would need to de-register the old service account from all the SPNs and then register all the SPNs with the new service account.
Then de-register the old service account.
setspn -d HTTP/proxy.broadcom.com KerberosLBUser
Then register the new service account.
setspn -A HTTP/proxy.broadcom.com newKerberosLBUser