We have a clustered appliance connected to domain via direct IWA realm. There is a AD account which has SPN set and DNS a records to point to the Loadbalancer.
The Kerberos Account which has the SPN set has AES128 and AES256 enabled, however it seems like the appliance has issues decrypting the tickets - when the account has etype set to rc4 then appliance seems to be able to authenticate users. Unfortunately this is a managed service and we dont have direct access to appliance for logs - We get a splash screen which gives the IWA real error.
splashscreen:
An unrecoverable error was encountered: "The IWA direct realm encountered an unmapped error code, contact your system administrator."