This article explains how to relay the user credentials to Symantec.cloud authenticating with the Active Directory controller, using the Kerberos authentication method instead of NTLM.
The first step is to give the Client Site Proxy server a Fully Qualified Domain Name (FQDN) so that in the Internet Explorer settings you point to the FQDN not the internal IP or host name. This will involve possibly rolling out this on the local zone file on every machine, or by adding an A record within your local DNS server for example csp.exampledomain.local to point to the IP address of the server where your Client Site Proxy is installed on (this is a far more manageable solution if you have an internal DNS server available). Please note: depending on your internal DNS server configuration it may take a little while for this change to take effect. To check when this change has taken effect the new FQDN can be tested at the command prompt by pinging the FQDN (for example csp.exampledomain.local).