Hi,
Kerberos has to be configured always wherever you want the IWA authentication. Which more generally is just the SAS Computer server, to enable users to authenticate against the AD when connecting with Enterprise Guide, interact with the FileSystem/shares or even with the Web.
You can do it on the Metadata server, but I think it is more secure to leave just the SAS Authentication.
Now, if besides IWA authentication, you want Single Sign On/SPNEGO on the web applications, then you need to configure Web Authentication, then IWA/Kerberos on the web.
I am not sure if I could answer, at least partially, your question. Please let me know.