Verify the client can reach the proxy and the target service over the required ports
Confirm the proxy is configured for transparent mode
Check that Kerberos is enabled on the proxy
Ensure the service principal name matches the requested hostname
Verify DNS resolves the target hostname correctly
Confirm reverse DNS is not causing mismatches
Check that the client and server clocks are synchronized
Verify Kerberos realm, domain, and KDC settings are correct
Confirm the client has a valid Kerberos ticket
Run klist to inspect current tickets
Renew or reauthenticate if the ticket is expired
Check that the proxy is not rewriting the Host header unexpectedly
Ensure the proxy preserves the original destination hostname
Verify the backend server accepts Kerberos authentication
Confirm the backend server has the correct keytab or service account
Check for SPN duplication in Active Directory or the KDC
Verify the browser or client is configured for Integrated Authentication
Add the site to the trusted or intranet zone if required
Confirm the proxy supports delegation if backend impersonation is needed
Verify constrained delegation settings if used
Check proxy and backend logs for Kerberos error codes
Look for KRB_AP_ERR_MODIFIED errors
Look for KDC_ERR_S_PRINCIPAL_UNKNOWN errors
Look for clock skew errors
Test authentication with a direct connection bypassing the proxy
Test with a different client to isolate client-side issues
Clear cached credentials and retry
Restart proxy, client, or authentication services after configuration changes
Validate that NTLM fallback is not masking Kerberos failures
Confirm firewall or security devices are not blocking Kerberos traffic
Recreate or reimport the keytab if credentials changed
Verify encryption types are supported by both client and server
Check browser proxy settings and PAC file behavior
Confirm no SSL inspection or interception is breaking Kerberos flow
Use packet capture to inspect SPNEGO and Kerberos negotiation
Validate that the proxy forwards authentication headers correctly
Ensure the backend service account password has not changed unexpectedly
Rejoin or reconfigure the service principal if the environment was rebuilt
