IIS refuse un-preauth-ed tickets?

[Speedo]

Sorry to post into 2 groups.

I have a Java application using Kerberos to talk to IIS on a Windows
domain. First I call java's kinit and then use the acquired initial
TGT to connect to IIS with JGSS. When the initial ticket is pre-
authed, I can get the web content. However, if I set the user account
as "do not require preauth" and acquire such an un-preauth-ed initial
TGT, and then get a service ticket for IIS using this TGT, it seems
this ticket cannot be used to retrieve pages from IIS (using SPNEGO).
Is this a designed feature?

Thanks
Speedo