Using Kerberos Authentication on Windows systems with Windows Defender Credential Guard fails.

The Microsoft documentation, Credential Guard overview, says "Applications break if they require" "Kerberos unconstrained delegation" which SiteMinder does not require and we recommend configuring the accounts for constrained delegation (so they can only delegate to the specific policy server).

Configure the accounts for constrained delegation.

This is configured on the SiteMinder Access Gateway and/or Web Agent accounts in Active Directory, on the Delegation tab, to allow them to request delegated credential to the SiteMinder Policy Server

(NOTE: Delegation is only needed on the agent accounts, those used by SiteMinder Access Gateway and/or Web Agents. Delegation IS NOT needed on the account used by the policy server.)