I use Kerberos at home. So do a couple of faculty. I have a Kerberos https: proxy set up on one of our public web servers. This is less than ideal, as it requires installing separate Kerberos software for both Mac and Windows. The Kerberos protocol is standardized
across OSs, but not the proxy support (nor the OTP support).
Oh, FreeIPA runs a proxy in the standard setup (see /etc/httpd/conf.d/ipa-kdc-proxy.conf ), so I suppose clientwise if you just expose tcp:443 to the Internet things should just work.