All Web activity fails, and generates authentication prompts when connecting to an internal proxy server using Kerberos authentication when using the Symantec Endpoint Protection (SEP) client Web Traffic Redirection (WTR) feature.
The SEP client WTR feature creates a Local Proxy Service (LPS), which listens on the loopback interface of the client computer and connects to the downstream proxy to fulfill the requests. When the downstream proxy requests authentication, the LPS relays the authentication request to the Web client. The Web client sees the request as coming from localhost (either 127.0.0.1, or ::1). Since Kerberos requires the requestor and grantor both use a fully-qualified domain name (FQDN), the authentication request is ignored. The current version of SEP WTR does not have the ability to proxy Kerberos requests.
The SEP client WTR component is not compatible with Kerberos authentication. Instead, use one of the following:
Use an alternate proxy authentication method for the affected client(s)
Disable Web Traffic Redirection and specify the proxy using another method