Regarding the Smoothwall Kerberos / NTLM issue, I believe it is possible for Smoothwall to support Kerberos and NTLM on a single port - would need some extra work on their part though but I *think* it might mean we don't have to configure Java any more.

Have posted a suggestion to Smoothwall's UserVoice forum here:
Support Negotiate authentication fully to allow Kerberos AND NTLM to be configured on a single port
If you'd like to see this, please support the suggestin by voting for it