As far as I see, you can get a TGT (Ticket Granting Ticket), but the applications can not get TGS ticket. You may verify with klist command to see the tickets in the cache. The TGS ticket depends on the TGT.

Using kinit command you can only get a TGT not a TGS ticket.

So the missing puzzle piece seems to be the SPN (service principal names) of the services that your application requires such as HTTP.

You may verify with setspn -L command.

This SPN information should exist on a domain controller which is close to the application client (which should be an AD Domain member) and the application servers (which should be AD Domain member(s) ).