You want to understand how Kerberos and NTLM authentication work, how to troubleshoot it, and how DNS host name resolution affects it.
On the PDQ server, by default some Kerberos logs will be captured, such as "KRB_AP_ERR_MODIFIED", but you can enable the Kerberos event logging to capture more errors.
How to enable Kerberos event logging
On the PDQ server, you can enable the NTLM outgoing traffic audit log, to capture events every time NTLM is used to connect to a computer.
How to audit NTLM outgoing traffic
Below are some great Microsoft articles that explain how Kerberos and NTLM work, and how to troubleshoot them in your environment.
How to troubleshoot Kerberos authentication issues with a misconfigured DNS environment ("KDC_ERR_S_PRINCIPAL_UNKNOWN")
How to troubleshoot Kerberos authentication at the network level
How to troubleshoot Kerberos SPN Issues Part 1
How to troubleshoot Kerberos SPN Issues Part 2