Hopefully I can get input from someone who knows Kerberos better than I.
We have a SharePoint 2010 server that is in one domain, let's call it Domain A. The web application identity is a service account in Domain A. We registered the Kerberos SPN for the web application.
Most of our users and their computers are in Domain B. Domain A and Domain B are in the same Forest and there is a two-way trust between them.
However when a user in Domain B tries to access the web application, it falls back to NTLM. When a user in Domain A accesses the web application, Kerberos is successfully used to authenticate him/her.
I'm trying to understand why Domain B users cannot authenticate using Kerberos.