Kerberos is an open authentication protocol based on UDP that allows users to securely do Single Sign-On (SSO). Kerberos is enabled by default on the Windows Servers when Active Directory (AD) is used. All the Blue Coat ProxySG are Kerberos capable when correctly configured with an IWA realm.
The Kerberos error message "KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN" occurs on the client side when it is trying to retrieve a Kerberos ticket-granting ticket (TGT) from the Active Directory Domain Controller when authenticating against the proxy. The consequence of this error message is that the SSO fails and the users are requested to enter manually the credentials in the web browser.
This specific error has been documented on Microsoft's side since early 2023. Here are the key details:
Other documented causes for this error are:
Here is the documented resolution from Microsoft:
Other documented resolutions (prior to the Microsoft article in 2023):
Upgrading the AD to a higher functional level of can be helpful as this Kerberos server/client compatibility problem should be fixed with the forest functional level 2008 and higher.