If you want to use Microsoft's version of Kerberos, I suggest you to use an IIS instance to do the authentication and use trusted-header SSO on AEM side. So the IIS adds the username as a header to the request and CQ is configured to trust this header and take it's value as username.
Jörg