Is this Kerberos/AD setup possible?

Without seeing the packet capture, I'd guess the HTTP/ SPN needs to be registered to the account running the application. Microsoft's Directory Services team has a great multi-part post addressing this topic at the following URL.

Run a packet capture (netmon, wireshark) from a client in each environment to identify what SPN is being looked up. Once that's determined, use the setspn cmd to register it to the account running the application.

FWIW, Kerberos only works while on the LAN. If someone needs access where the domain controllers are not accessible, then you'll want to consider an SSO such as Shibboleth or ADFS.

EDIT: as mentioned by @alex-h, the browsers will need to be configured to silently authenticate via Kerberos.

  • Internet Explorer - while the TechNet article isn't specifically for your application, the steps are the same.
  • Firefox - same as the IE link, not exact match but steps are the same.

Lastly, this is a common issue with Microsoft Sharepoint deployments. They want SSO via Kerberos to happen silently once users have authenticated to the domain. Thus if the above answers don't solve your issue, try checking their forums such as the following:

Kerberos on Chrome, Safari or FireFox