Firefox only allows Kerberos tokens to sites matching the network.negotiate-auth.trusted-uris list.
This list is comma separated, and may contain wildcards or FQDN names.
Configuring network.negotiate-auth.trusted-uris manually
For testing purposes, you can set network.negotiate-auth.trusted-uris manually by enteing about:config in the address bar, then search the setting and enter the list:
Making a Group Policy for network.negotiate-auth.trusted-uris
On the domain controller run Group Policy Management (gpmc.msc), and greate or locate a policy that contains user objects.
Create the new Group Policy and edit it after creation
Create a new logon script
Navigate to User Configuration - Policies - Windows Settings - Scripts and open Logon. The logon script may be placed anywhere on a file server or inside the policy itself.
In this example firefox-settings.bat and user.js is placed inside the policy itself.
Add..
Choose Add.. and then Browse. Windows Explorer will open the path to the Sysvol Policy.
Example: \\example.local\SysVol\example.local\Policies\{2D1CB1B7-F1BD-4CE8-8B3D-2F9FD06A764C}\User\Scripts\Logon
Right click and make a new text document with the following content.
Save the file as firefox-settings.batif exist "%APPDATA%\Mozilla\Firefox" for /D %%F in ("%APPDATA%\Mozilla\Firefox\Profiles\*") do copy /y Example: \\example.local\SysVol\example.local\Policies\{2D1CB1B7-F1BD-4CE8-8B3D-2F9FD06A764C}\User\Scripts\Logon\user.js %%FCreate a new file named user.js with the content to match your domain. (The file must be named user.js)
Multiple names are separated by comma. example.com is treated as *.example.comuser_pref("network.negotiate-auth.trusted-uris", "example.com,issues.example.com");Finish the dialogue by opening firefox-settings.bat
The complete policy
Configuring network.negotiate-auth.allow-non-fqdn
In some cases you may need to set this to 'true' for Firefox to send Kerberos tickets to the site, when using short-form URLs.