SPNego is the windows authentication protocol which would negotiate the supported SSPs between the client and the service and choose one for authentication. WCF relies on this protocol for Windows authentication. According to this protocol, Kerberos is always the preferred SSP. If Kerberos fails,  SPNego would fallback to NTLM.

But the above statement is not always true. Not always does SPNego fallback to NTLM when kerberos fails.

Assuming the AllowNTLM knob on channelFactory’s WindowsCredentials, is set to true which is the default,

here are some failures when the fallback to NTLM does not happen

1. Kerberos fails because KDC is not reachable.
2. Kerberos fails because the client successfully got a ticket for a wrong target (for example : say foo and bar are user accounts in the domain “test”. Service is running as test\foo, client gets a ticket for test\bar, the service would not be able to decrypt the ticket since it has been encrypted for test\bar.)

On the other hand, here are some of the failures where a fallback to NTLM happens

1. KDC does not recognize the target. (Using the previous example, if client tries to get a ticket for test\dummy, KDC would not issue a ticket for test\dummy, since it doesn’t recognize it.) 

Hope this is useful.

Thanks.