No and yes. To avoid difficulties, this manual recommends to disable proxy usage for the Stages server via browser configuration.
The problem is that the SPNego authentication headers might get modified or even be removed by a proxy. Furthermore a proxy has to take care of not sharing authenticated connections between several clients. There are proxy implementations which are capable of handling SPNego sessions correctly but in general we do not recommend proxy usage.
Ktpass will automatically map a SPN (service principal name) to the user account. Before you can call ktpass again, you have to remove this mapping manually.
Step 1: Check for Assigned SPNs
C:\temp>setspn -l pkit Registered ServicePrincipalNames for CN=pkit,CN=Users,DC=pkitbuild,DC=er,DC=methodpark,DC=de: HTTP/pkit.pkitbuild.er.methodpark.de C:\temp>
Step 2: For each SPN, remove it
C:\temp>setspn -d HTTP/pkit.pkitbuild.er.methodpark.de pkit Unregistering ServicePrincipalNames for CN=pkit,CN=Users,DC=pkitbuild,DC=er,DC=m ethodpark,DC=de HTTP/pkit.pkitbuild.er.methodpark.de Updated object C:\temp>
Kerberos is a security protocol. For security reasons it is necessary to have a globally unique network identification. Both, localhost and abbreviated host names are not globally unique. For this reason you always have to use the FQDN (full qualified domain name).
In an Active Directory environment the Kerberos Realm is equal to the Domain name of Windows. You can find the Domain name in System Control > System > Network Identification.