Symptom
Kerberos authentications fails for users and the FMC shows an anonymous login, if Kerberos authentication is enforced
NTLM authentication is always used even with Kerberos present as option, if authentication configured to HTTP Negotiate
Conditions
Users ActiveID authentication enabled with Kerberos
FMC and FTDs hostnames longer than 15 characters
FMC and FTDs hostnames starting by same string, ie. 'extralonghostname.fmc.domain' and 'extralonghostname.ftd.domain'
Workaround
Configure ActiveID to HTTP Negotiate to allow for NTLM authentication
Further Problem Description
Because the devices will join the Realm with the same sAMAccountName, there will only be one entry on AD 'Computers' OU for all devices matching the same sAMAccountName.
The DNS name will be for the first that has joined, usually the FMC due to the order of Kerberos implementation on the Firepower
The SPN for the machine created will also be only for the first joiner, usually FMC as above
The missing SPN for the FTDs will cause the Client PC to fallback to NTLM authentication as the FTD SPN is not present on AD
If Kerberos is enforced, the authentication always fails to extract the username and the user is seen as 'Anonymous'
If Negotiate is allowed, the user will correctly authenticate with NTLM
