IIS Windows Integrated Auth, not passing domain\user

I have two servers. both running IIS7.5.

they both run the same version of a web based application which occupies several app pools (it runs as lots of little services and the like).

i have an excel plugin which connects to that application and can draw data out.

the only difference i know of between the two machines is that the working one runs all its app pools with the standard accounts, localsystem, apppoolidentity etc.

the failing one uses specific service accounts for most of its app pools (mainly the ones used by the web application).

the crux of the issue seems to be that on the working machine the exchange is as follows -

POST /Service/Hierarchy.svc - 80 - 10.100.69.49 - 200 0 0 0
GET /Application/login/login.dll - 80 DOM\Account 10.100.69.49 - 200 0 0 140

and on the failing server -

POST /Service/Hierarchy.svc - 80 - 10.100.69.49 - 200 0 0 0
GET /Application/login/login.dll - 80 - 10.100.69.49 - 401 2 5 358

note the account doesnt get passed.

all other settings that i can see, are the same except.... on that application/login/login.dll authentication settings, on the working server it is Negotiate then NTLM, on the failing server if I put it that way round then other parts of the application stop working with 401 challenges wanting credentials.

can anyone offer any advice on how to debug this?

thanks

edit: here's a trimmed down wireshark capture of the failed attempt.

GET /Application/login/login.dll HTTP/1.1
Authorization: Negotiate YIILwgYGKwYBBQUCoIILtjCCC7KgM...etc
Host: MachineName

HTTP/1.1 401 Unauthorized
Content-Type: text/html
Server: Microsoft-IIS/7.5
WWW-Authenticate: Negotiate oYGNMIGKoAMKAQGhC...etc
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Date: Wed, 20 Apr 2016 05:42:58 GMT
Content-Length: 1293

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
...html
<title>401 - Unauthorized: Access is denied due to invalid credentials.</title>
...html
<div id="header"><h1>Server Error</h1></div>
  <h2>401 - Unauthorized: Access is denied due to invalid credentials.</h2>
  <h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
...html



GET /Application/login/login.dll HTTP/1.1
Authorization: Negotiate oYILiTCCC4WgAwoBAa...etc
Host: MachineName

HTTP/1.1 401 Unauthorized
Content-Type: text/html
Server: Microsoft-IIS/7.5
WWW-Authenticate: Negotiate oX8wfaADCgEBonYEdGByBgk...etc
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Date: Wed, 20 Apr 2016 05:42:58 GMT
Content-Length: 1293

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
...html
<title>401 - Unauthorized: Access is denied due to invalid credentials.</title>
...html
<div id="header"><h1>Server Error</h1></div>
...html
  <h2>401 - Unauthorized: Access is denied due to invalid credentials.</h2>
  <h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
...html

i know that the user in question has access to the urls in the requests, so i can call /Application/login/login.dll manually.

is

GET /Application/login/login.dll HTTP/1.1
Authorization: Negotiate YIILwgYGKwYBBQUCoIILtjCCC7KgM...etc
Host: MachineName 

where it tries to pass the username? could this be failing and that's why I don't see the user being passed?

thanks again

edit:

i'm seeing KRB5KRB_AP_ERR_MODIFIED in Wireshark which wasn't there before, also in the details it is listing the ServiceAccount which runs the AppPool.

so i'm thinking it might be related to this - Windows Authentication KRB5KRB_AP_ERR_MODIFIED