The device account should be used to decrypt the Kerberos token/ticket which is acquired from Active Listing and forwarded from the customer to your server to authenticate the user. Register the Provider Principal Identify (SPN) to the host, not the person on the app. Since the “Article-Redirect-Get” sample says, in https://hire-sameone-to-do-asp-ne04917.blogdanica.com/28459123/how-asp-net-assignment-help-can-save-you-time-stress-and-money
