I even presented upon the topic in 2012: -
IBM Connections and Desktop Single Sign-On using Microsoft Active Directory, Kerberos and SPNEGO
Whilst I've done the SPNEGO piece time and again, the thing that I'd not done in a while was to configure the fallback login page.
Thankfully, the IBM Connections documentation to which I referred back in 2012 is still there, albeit in more recent form: -
Configuring SPNEGO (and Kerberos optionally) on WebSphere Application Server