NTLM Kerberos Authentication ?

Question

Hello Team, 
 I was going through this new feature implementation i.e. kerberos authentication in which I have notice few things after configuration that I would like to clarify:- 
 
 1) If we configure browser based proxy with device Hostname then it is going through Kerberos authentication and we are getting AD-SSO Kerberos in live user page 
 2) If we configure browser based proxy with IP address then it is going through NTLM authentication and we are getting AD-SSO NTLM in live user page 
 3) For transparent connection in which I am not configuring any thing in browser proxy then by default it is taking AD-SSO NTLM and not kerberos 
 Is this above details are as in known behavior or am I missing something?

Michael Dunn · Answer

The way Kerberos works (part of the Kerberos spec) is that the client is willing to authenticate with a server that has a SPN (Service Principal Name) in the AD Domain. 
 When the XG joined the domain it got a name like "myxg.myADdomain". 
 Now if myxg.myADdomain ever asks to do "Negotiate" (Kerberos/NTLM) authentication, the client checks and finds there is an SPN for that and sends the client the Kerberos ticket. 
 Now if 192.168.1.1 ever asks to do "Negotiate" (Kerberos/NTLM) authentication, client checks and sees no SPN for 192.18.1.1. Since none is found, it then falls back to doing NTLM. 
 
 On the windows computer: 
 setspn -Q *myxg*

You should see two HTTP entries, one for the bare hostname and one for the hostname.ADdomainname. NOTE: This might be different from the hostname/FQDN that you filled in on the Administration > Admin Settings page. 
 For Kerberos / Transparent 
 The Administration > Admin Settings > Admin console and end-user interaction must be one of the two SPNs. 
 For Kerberos / Standard 
 The proxy server configured on the client must be one of the two SPNs.