SSO authentication, response is always NTLM

I'm trying to implement SSO on an intranet application we are developing. I am using SPNEGO for this. Now I'm having some trouble configuring the SSO and hope someone here is able to help me.

The setup is like this:

1. Linux server with tomcat to serve the intranet application
2. Windows Server 2008 as domain controller (Active Directory)
3. Windows 7 client with IE9 and Firefox

When I open the intranet application I see a GET request going from the client to the tomcat server. The first response of the tomcat server and the SpnegoFilter is a 401 unauthorized which is right, cause the client needs to be authenticated.

806 6.117724    192.168.65.50   192.168.65.50   HTTP    284 HTTP/1.1 401 Unauthorized 
WWW-Authenticate: Negotiate\r\n

The response of the client then is a GET request with a flag NTLMSSP_NEGOTIATE. Here it breaks. I don't expect a NTLM response, but a kerberos/spnego response. Somehow I just can't figure out how to send the correct response to the tomcat server.

808 6.123277    192.168.65.50   192.168.65.50   HTTP    637 GET / HTTP/1.1 , NTLMSSP_NEGOTIATE

By default NTLM isn't supported by SPNEGO so I get the following entry in my log:

java.lang.UnsupportedOperationException: NTLM specified. Downgraded to Basic Auth (and/or SSL) but downgrade not supported.

So I'm doing something wrong, but aftert a day fiddling with configurations and policies I just can't figure out what it is.

Hoping for some response.