When using Citrix pass-through on the web interface with Kerberos authentication, everything seems to work very well at first.
But then you might discover that some of your applications running on the XenApp server depend on NTLM for authentication.
This is where the fun part starts, how do you disable Kerberos and only on the applications started from the XenApp server?
What worked for us in the lab is to change the local file c:Programs Files (x86)CitrixICA ClientWFClient.ini and change the line SSPIEnabled=On to SSPIEnabled=Off.
This will disable Kerberos and allow NTLM to work on the applications.
This requires no change to your Citrix client GPO settings or requires that you change the configuration on the web interface.
The change to the WFClient.ini file can be pushed out by a GPP (Group Policy Preference).
It looks like the logon at the web interface is then still using Kerberos but from there NTLM is used, but this still has to be investigated further and maybe someone out there can shed some light on the subject?
This has been tested on the Receiver version 3.2 and 3.3 against XenApp 6.5 Rollup 1 and web interface 5.4.