SSPI negociation dilemma

When SSPI is in "negociate mode", NTLM seems to be the favorite one (a legacy story). But when and why SSPI will consider (and pick) Kerberos ?

(As far as I can see, when a client and server are on the same machine, NTLM is picked out)

Kerberos is preferred over NTLM and used whenever it's possible, i.e:

• client machine is logged into Active Directory
• client machine can access DNS
• DNS contains A record (not CNAME-alias) - for server, which client wants to access (both forward and backward), so that web browser could transform it into correct SPN
• no duplicated SPNs
• webserver runs on another machine than client webbrowser
• there must be at least one encoding type, which both machines support (defined in krb5.ini)