Modern Windows clients use Kerberos authentication in the following three situations:
Initial computer startup. The client computer uses credentials stored in the LSA database to authenticate with an Active Directory domain controller. It then establishes a secure channel to that logon server.
Kerberos Authentication in Mixed Domains
A modern Windows computer that belongs to a Mixed domain will always authenticate with an Active Directory-based domain controller if one is available. This is true even if the computer must authenticate across the WAN to get to the AD-based domain controller.
Modern Windows clients check for service locator (SRV) records in DNS every time they start. As long as they don't see any ...