I've been trying to make Kerberos delegation work across all browsers, but I'm having no luck. I'm running a Java web server on Linux and Windows.
Firefox (64 bit) on Linux: Receive the ticket and delegation works. I've set the preferences network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris preferences appropriately.
Chrome (64 bit) on Linux: I receive the Kerberos ticket, but delegation does not work. I've tried launching the browser with the command line feature --auth-negotiate-delegate-whitelist="{REALM_NAME}" but it doesn't seem to delegate. There may have been a bug report filed as recently as November, 2017 saying that account delegation is not working.
Internet Explorer on Windows: Receive the ticket and delegation works. Internet Explorer also automatically retrieves the AD Domain Name when the login prompt is filled in. IE defaults to NTLM (which I don't want) if I don't have the setting "Prompt for Username and Password" enabled in "Internet Options -> Security -> Local Intranet -> Custom Level"
Chrome (64 bit) on Windows: I can send in the AD Kerberos ticket, but delegated credentials are not working. Also, I'm curious as to why I have to append @{DOMAIN_REALM} to the username when the login prompt appears, while IE picks it up automatically.
Firefox (64-bit) on Windows: I had to disable "use-SSPI" preference to send the Kerberos ticket. Firefox defaults to NTLM if the use-SSPI preference is enabled. I have the same proper negotiate preferences configured in Firefox, but delegation doesn't seem to work. I've checked the log file and it appears that Firefox does try to append the token "use REQ_DELEGATE" when forming the credentials, but my Java web server still sees the client account as not allowing delegation.
