When client machine is pointed to ProxySG hostname, instead of DNS name of LB IP or Failover IP, following error is observed by the client:

Appliance Error (internal_error)

An unrecoverable error was encountered: "The IWA direct realm encountered an unmapped error code, contact your system administrator."
This problem is unexpected. Please use the contact information below to obtain assistance.

For assistance, contact your network support team.

- Proxy SG is configured using IWA Direct in an Explicit Kerberos Load Balancing/Failover Scenario. Kerberos Load Balance account is configured under authentication Realm.
- Single authentication realm is configured.
- ProxySG hostname is used under client machine proxy settings.
- In the same time when DNS name of LB IP or Failover IP is used under client proxy settings, authentication works fine. 

If a Kerberos load balancing account is configured under authentication realm, SG will try to decrypt the Kerberos tokens always with the credentials of the same Kerberos load balancing account. If SG's host name is set under browser proxy settings, SG would still try to decrypt the Kerberos token based on Kerberos LB account credentials and not with SG's machine account. That's why it is giving that unmapped error code.

When we have a single realm, it can either use the machine account to decrypt tickets (no LB service account credentials) or the LB service account when the credentials are set. The behavior is expected. 

In case if business needs required to decrypt the Kerberos tokens based on both the Kerberos LB account and also SG's machine account, two separate auth realms should be created - one based off Kerberos LB account and the other one based off SG's machine account. For this scenario, client traffic should be separated to each realm based on some authentication layer policy source conditions.

In the LSA Debugs, following error "mapping unknown error code -1765328349 to AUTH_E_ONBOX_UNMAPPED_ERROR " is observed.  Proxy is using service account to decrypt service ticket from client and it fails. 

5054.382 KRB5-TRACE:  [16777788] 1696320180.403182: Failed to decrypt AP-REQ ticket: -1765328349/Cannot find key for [email protected] kvno 2 in keytab (request ticket server HTTP/[email protected]) (rd_req_dec.c: 151)