Real quick, the reason for the credential pop-up is because the URL you are accessing is not in the Local Intranet trusted sites lists, as shown in Figure 6a and 6b!
I setup a domain and did some learning on Kerberos.
The first lessons I learned working towards a better understanding of Kerberos was some NTLM internals. This is because after configuring IIS as shown in Figure 1, to use Negotiate, when I accessed the IIS server from a client, the client and server negotiated NTLM instead of Kerberos. So I had to find out why. What I am confident was happening was caused by the account I was using. I was using an Administrator account which had a match in the SAM database on the client. I learned some good NTLM information here.
In my lab I had my own CONTOSO domain and created a new account. When I used this account, I was able to see that Kerberos was being used. Once I got Kerberos to be used, I got the issue where I had to login once per browser session. I.e. I would access the server URL, get prompted for my credentials, enter them and then I had access to the web site. So Kerberos wasn’t failing, I was just getting that credential popup which was not desired. See the following figures:
Once I added the FQDM to the client browser, as shown in Figure 6, I no longer had to enter the credentials for Kerberos authentication to work.