Both the client's account and the service's account must be in Windows 2000 native or mixed-mode domains because Kerberos services are not available in downlevel domains. In addition, both client and service accounts must be in the same forest because the client's KDC uses the global catalog to search for the service principal name.
Both service and client must be running on Windows 2000, ; otherwise mutual authentication with Kerberos will fail because earlier versions of Microsoft® Windows® do not support Kerberos.
Service principal names must include the DNS name of the host server on which the service is running. You must use the DNS name.