I implemented the negotiate (NTLM + Kerberos) authentication filter, and add APP server website into client Intranet Zone.
The APP Server Local Administrator's password is same as Test Client Local Administrator's password.
The APP Server is in domain,but The Test Client is not.
When i use IE for test ,it authenticates successfully and I can see mywebsit.
request.getRemoteUser() value is APP Server Local Administrator's full name.