Check the SPN is Mapped to One User Only

There should ONLY be ONE user mapped to a given SPN. If you have two or more different users mapped to a given SPN record Kerberos authentication will ALWAYS FAIL. For more information see the following blog entry https://blogs.technet.microsoft.com/askds/2008/06/09/kerberos-authentication-problems-service-principal-name-spn-issues-part-2.

You can use the queryspn.vbs script from https://technet.microsoft.com/library/ee176972.aspx to quickly check that SPN is only mapped to one user account. For example, if we search for SPN HTTP/proxy.diladele.lan@DILADELE.LAN the correct output will be one entry only:

c:\cscript queryspn.vbs HTTP/proxy*
Microsoft (R) Windows Script Host Version 5.812
Copyright (C) Microsoft Corporation. All rights reserved.

CN=squid,CN=Users,DC=diladele,DC=lan
Class: user
User Logon: squid
-- HTTP/proxy.diladele.lan