Users see the following error which can be fixed by a hotfix for IE or by using HOST records rather than CNAME in DNS

Error message in Internet Explorer when you try to access a Web site that requires Kerberos authentication on a Windows XP-based computer: "HTTP Error 401 - Unauthorized: Access is denied due to invalid credentials"
 
This problem may occur if the Web site uses a CNAME resource record in the Domain Name System (DNS) to contact the server that initiates Kerberos authentication. (This server also issues the Kerberos ticket.) When you use Internet Explorer to access the Web site, Internet Explorer uses the host name of the server instead of the CNAME resource record to contact the server. The authentication process does not work because only the Service Principal Name (SPN) for the CNAME resource record is registered on the account that is used for the authentication.