Correct. You need to add an SPN for all proxy devices you intend to use to the user.
Does the keytab need to be regenerated after modifying the SPN? I added the SPNs, but still cannot authenticate.
Did you modify the keytab or the user to add the SPN (you should only need to modify the user)? In either case you shouldnt need to regenerate the keytab.
Also what was the command you used to generate the initial keytab? I had another customer generating the keytab with the -setupn flag, and it gave the same error.
The issue was resolved. Our AD guy changed the crypto parameter and Kerberos now authenticates. Not sure what command he used, but I think he followed the procedure on the community guide for Kerberos.
Thanks all for the help!