Kerberos SSO plugin provides a way to allow Basic Auth alongside to negotiation. The effectively instructs spnego to advertise it in HTTP response header - but that is all.

When browser submits the Basic Auth credentials, it is processed by jenkins.security.BasicHeaderProcessor that gets triggered before kerberos filter so at the time it is invoked user it already authenticated. That means:

• There is no way to disable basic auth in Jenkins (with this plugin or without it) as users can still send the header.
• The basic header authentication is actually performed against underlying security realm but not the kerberos KDC.