In particular it seems to be necessary to enable Kerberos for the service user used for the keytab:
<After the keytab generation, the User logon name changes into an SPN, so it can be found by Kerberos clients looking it up. Note that the checkbox "This account supports Kerberos AES 256 bit encryption" under Account Options is selected. The checkbox must be manually selected after the keytab generation otherwise you'll receive an error along the lines of 'Cannot find key of appropriate type to decrypt AP REP...".>
In our case, the Fortinet guide generates the keytab with the "-crypto all" option, so I have enabled all 3 fields DES, AES 128,AES 256.
I'd recommend getting a packet capture on the client and enable Kerberos error logging. Double check the relevant browser auth settings (firefox splits ntlm and spnego/kerberos settings) and/or GPO. Also ensure your client has visibility to the KDC, and the SPN was registered correctly in AD when doing the ktpass step (from a windows joined machine: "setspn -l FGT" should return your personalized version of the example from the guide: "HTTP/FGT.FORTINETQA.LOCAL").