Here's what worked for me (it took me 2.5 days to sort this out!).
1. Use Mike's config exactly as it is (except, obviously, changing domain names, etc) especially wrt capitalisation and using FQDN.
2. Use Mike's example of ktpass exactly as it is. You can specify /ptype KRB5_NT_PRINCIPAL if you like, but trying any value for /crypto just didn't work for me.
3. Set up the Java System properties java.security.krb5.kdc AND java.security.krb5.realm to be the fully-qualified name of your Domain Controller and your domain (fully-qualified) in captials.
4. Make sure Internet Explorer in your client thinks that the server is in its Intranet! Don't use the server as a client!
5. For your Service Principal and any users you want to authenticate, in the Account options, disable 'Use Kerberos DES…', enable 'This account supports Kerberos AES 128 bit…', enable 'This account supports Kerberos AES 256 bit…' and disable 'Do not require Kerberos preauthentication'.
6. If you are outside the US, you may need to download the full support for AES 256-bit encryption. Look it up.
In the test system I set up, the domain was vbis.security.local. The Windows Server 2008 machine was called chekov. So the values for the properties were: