Kerberos is preferred over NTLM and used whenever it's possible, i.e:
- client machine is logged into Active Directory
- client machine can access DNS
- DNS contains A record (not CNAME-alias) - for server, which client wants to access (both forward and backward), so that web browser could transform it into correct SPN
- no duplicated SPNs
- webserver runs on another machine than client webbrowser
- there must be at least one encoding type, which both machines support (defined in krb5.ini)