Kerberos only works if the client can get a "ticket" and the two main requirements for getting a ticket are:

• The user must be logged into the client device with their AD DS credentials
• The service account (the account IIS is running under in this case) must have a Service Principal Name (SPN) set that matches the URL used. The SPN is derived directly from the URL entered into the browser address bar. For example, if the URL was https://www.example.com/, the SPN would be HTTP/www.example.com.

However, the hostname "localhost", which appears to be what you're using in this case, is not a permitted SPN as it is not actually a DNS hostname (it is a name interpreted by your local OS). Similarly an IP address cannot have a corresponding SPN.

Short Answer: If you use "localhost" as the hostname, the client will not initiate Kerberos and fallback to NTLM.

PS: If you actually care about security, you MUST use HTTPS (even for Kerberos).