Negotiate is choosing Kerberos, which has some obscure protections to prevent man-in-the-middle attacks, so your proxy is in the way and that's why you're getting failed auth.
It works on the same machine, there's no man in the middle.
Local system account is not a domain account, and probably can't talk to AD.
Local admin account is probably a domain account? Or at least has some way to talk to AD.
Going directly to the JBoss server works because there's no proxy.
On a DOS console you're running under a domain account, it works.
Proxy authentication is another beast and I really don't know what Waffle can/should do to work in that scenario. Maybe someone in building 41 in Redmond knows :) I would just use NTLM and get it over with. It's not really less secure than Kerberos.
It's a lot to digest :)