At last! VMware have finally added passthrough auth support in VC 2.5, although it is currently classed as experimental. This is something I have been waiting / asking about for quite some time. And even better, it's on by default! To use it, simply add -passthroughAuth -s vchostname to the end of the shortcut used to launch the VI 2.5 client.
By default it uses the Negotiate SSPI provider, however since they have fully implemented the interface you can change that behaviour to use Kerberos by adding the following within the <vpxd> node in the vpxd.cfg file on the VC server:
<sspiProtocol>Kerberos</sspiProtocol>
VMworld Europe 2008 has almost been worth it for this little gem alone, as you won't find it on any slide deck - the information came straight from the presenters mouth in conjunction with a quick consultation of the VC source code (by him, not me :-) in order to determine the correct entry for vpxd.cfg. I will now work out how to use this with custom written SDK apps, although I have a suspicion it will be a fairly simple matter of passing the same arguments as part of the connect sequence. Will be sure to post when I figure it out!