If the environment's Active Directory KDC server has raised encryption levels, then any AD account, including the AppPortal service account, will require the "This account supports Kerberos AES 256 bit encryption" option to be checked ON in the AD user object.

If this is not done, then a number of symptoms can be seen:

1) user specifc logs in \Program Files (x86)\Flexera Software\App Portal\Logs\UserLog will show an error like:

Unable to detetct group membership for user : DOMAIN\USERACCOUNT The encryption type requested is not supported by the KDC.

2) IIS logs will show that the user can authenticate to the AppPortal UI, but when clicking through to parts of the configuration the following notification will be seen on the main pane:

You do not have access to this area.

I found this while testing AppPortal 2021R2, however I believe the behaviour is the same across other versions.

Further reading:
https://docs.microsoft.com/en-us/sharepoint/troubleshoot/security/configuration-to-support-kerberos-aes-encryption