Current versions of Alfresco do not support pre-authentication with Kerberos for CIFS access and therefore this needs setting to be disabled for some users.
This decreases the security of Kerberos authentications and makes attacks easier. In some restricted areas this cannot be disabled which prevents the usage of this authentication mechanism.
From Microsoft article:
If preauthentication is enabled, a time stamp will be encrypted using the user's password hash as an encryption key. If the KDC reads a valid time when using the user's password hash (stored in the Active Directory) to decrypt the time stamp, the KDC knows that request isn't a replay of a previous request. The preauthentication feature may be disabled for specific users in order to support some applications that don't support the security feature.
Alfresco 3.4.10, Oracle
[Steps that show the current behaviour]
1. Configure Alfresco to use Kerberos for CIFS authentication. If it is working, disable (untick) "Do not require Kerberos pre-authentication"
2. Restart Alfresco and see that Kerberos authentication for CIFS will not work anymore and you will find authentication errors
Even with Kerberos pre-authentication required Alfresco should be able to authenticate against Kerberos for CIFS usage
Alfresco as an enterprise product should support this very basic security feature for Kerberos to be able to be used also in restricted organisations like governments, banking sector or any else who needs to have higher security standards. Other applications (from Citrix and Cisco) are also able to run with this pre-authentication enabled.