Scenario:

Our security team wants to disable NTLM authentication on our Active Directory domain. I can see that the Altiris Agent (Symantec Management Agent (SMA)) connectivity credentials account is using NTLM.

How do I get the agent to use Kerberos?

ITMS 8.1 RU2 and later

With our ITMS 8.6 RU3 release everything should work out of the box. No longer required to make the changes previously suggested to mitigate the changes introduced by Microsoft regarding Kerberos and SPNs (KB 232242 "January Cumulative Security updates prevent endpoints from registering to task server"). The Symantec Management Agent 8.6 RU3 version adds SPNs for the servers itself.
Delegation is also set during Site Server configuration on the client side.
And SPN format has been changed in our code to comply with recent Microsoft requirements, so this KB document is not valid anymore.

Prior to ITMS 8.6 RU3 release:

We've tested and fixed SMA to use Kerberos if it is configured correctly. SMA uses not "NTML" but "Negotiate" security provider in Windows and the provider itself selects whether to use Kerberos or NTLM. If Kerberos is configured when "Negotiate", the security provider will use it. The important option "authPersistNonNTLM" should be set to True; otherwise, there will be HTTP authentication errors. 

In the attached document are steps needed to be done to disable NTLM and make Kerberos communication works based on a default environment installation.

Note: The following steps (see attached "ITMS 8.5 RU2-How to setup environment to use Kerberos authentication.pdf") are provided "AS-IS" since this is outside of our regular Support or testing procedures.