Firefox only allows Kerberos tokens to sites matching the network.negotiate-auth.trusted-uris list.

This list is comma separated, and may contain wildcards or FQDN names.

Configuring network.negotiate-auth.trusted-uris manually

For testing purposes, you can set network.negotiate-auth.trusted-uris  manually by enteing about:config in the address bar, then search the setting and enter the list:

Making a Group Policy for network.negotiate-auth.trusted-uris 

On the domain controller run Group Policy Management (gpmc.msc), and greate or locate a policy that contains user objects. 

Create the new Group Policy and edit it after creation

Create a new logon script

Navigate to User Configuration - Policies - Windows Settings - Scripts and open Logon. The logon script may be placed anywhere on a file server or inside the policy itself. 
In this example firefox-settings.bat and user.js is placed inside the policy itself.

Add.. 

•  Choose Add.. and then Browse. Windows Explorer will open the path to the Sysvol Policy.

  Example: \\example.local\SysVol\example.local\Policies\{2D1CB1B7-F1BD-4CE8-8B3D-2F9FD06A764C}\User\Scripts\Logon

• Right click and make a new text document with the following content.
  Save the file as firefox-settings.bat

  if exist "%APPDATA%\Mozilla\Firefox" for /D %%F in ("%APPDATA%\Mozilla\Firefox\Profiles\*") do copy /y Example: \\example.local\SysVol\example.local\Policies\{2D1CB1B7-F1BD-4CE8-8B3D-2F9FD06A764C}\User\Scripts\Logon\user.js %%F

• Create a new file named user.js with the content to match your domain.  (The file must be named user.js) 
  Multiple names are separated by comma. example.com is treated as *.example.com

  user_pref("network.negotiate-auth.trusted-uris", "example.com,issues.example.com");

• Finish the dialogue by opening firefox-settings.bat
  

  

The complete policy

Configuring network.negotiate-auth.allow-non-fqdn

In some cases you may need to set this to 'true' for Firefox to send Kerberos tickets to the site, when using short-form URLs.