[liso]

By default, Kerberos will fail back to NTLM when:

* Authenticating against a pre-NT 4.0 server * Accessing a domain resource via IP * Accessing a resource on a non-domain member * Accessing a resource on a computer that does not support Kerberos (Windows 3.11, Windows 95, etc.)

It's trivial to force this downgrade on most domains.