Check the SPN is Mapped to One User Only
There should ONLY be ONE user mapped to a given SPN. If you have two or more different users mapped to a given SPN record Kerberos authentication will ALWAYS FAIL. For more information see the following blog entry https://blogs.technet.microsoft.com/askds/2008/06/09/kerberos-authentication-problems-service-principal-name-spn-issues-part-2.
You can use the queryspn.vbs script from https://technet.microsoft.com/library/ee176972.aspx to quickly check that SPN is only mapped to one user account. For example, if we search for SPN
HTTP/proxy.diladele.lan@DILADELE.LAN the correct output will be one entry only:
c:\cscript queryspn.vbs HTTP/proxy* Microsoft (R) Windows Script Host Version 5.812 Copyright (C) Microsoft Corporation. All rights reserved. CN=squid,CN=Users,DC=diladele,DC=lan Class: user User Logon: squid -- HTTP/proxy.diladele.lan