I've established user login identity impersonation and delegation for a
multi-tier web application.  I'm running into a case where authentication
fails when a user accesses the app from a browser on one machine, but not
from another machine.

The relevant details -- in both cases, all of the following are in effect:

Same user account.
Same web application, same IIS host.
Client OS is XP Pro SP2.
Client browser is IE 6.0.
Both instances of IE have Windows integrated authentication enabled, and the
browsers were restarted.
Both instances of IE have the web app host in their list of Intranet sites.

I sniffed the packet traffic for both cases.  In both cases, I see the
expected initial anonymous request for the application URL, with the
expected 401 response.  The 401 response header in both cases includes
WWW-Authenticate: Negotiate and WWW-Authenticate: NTLM as authentication
options.

In the good case, the client responds by going to the Kerberos server to
authenticate itself and ask for a ticket for the server.  All is good from
there on.

In the bad case, the client does not authenticate using Kerberos at all, but
immediately replies to the web server with NTLM credentials.  This fails.

The good client responds to the 401 by trying Kerberos first.  The bad
client responds by trying NTML first, and never trying Kerberos at all.

I can make the good client behave *exactly* like the bad one by disabling
Windows integrated authentication in the good browser.  Enabling windows
integrated authentication and adding the web app host to the intranet site
list are the only fixes for the bad client that I can find in the MSDN docs,
and I've put those in place, but still no joy.

Any suggestions on what else to look at?

Many thanks -

R