Firefox

Firefox only allows Kerberos tokens to sites matching the network.negotiate-auth.trusted-uris list.

This list is comma-separated and may contain wildcards or FQDN names.

Configuring network.negotiate-auth.trusted-uris manually

For testing purposes, you can set network.negotiate-auth.trusted-uris manually by entering about:config in the address bar, then search the setting and enter the list:

Making a Group Policy for network.negotiate-auth.trusted-uris

On the domain controller, run Group Policy Management (gpmc.msc), and create or locate a policy that contains user objects.

Create the new Group Policy and edit it after creation

Create a new logon script

Navigate to User Configuration - Policies - Windows Settings - Scripts and open Logon. The logon script may be placed anywhere on a file server or inside the policy itself.
In this example, firefox-settings.bat and user.js are placed inside the policy itself.

Add..

Choose Add.. and then Browse. Windows Explorer will open the path to the Sysvol Policy.
Example: \\example.local\SysVol\example.local\Policies\{2D1CB1B7-F1BD-4CE8-8B3D-2F9FD06A764C}\User\Scripts\Logon

Right-click and make a new text document with the following content.
Save the file as firefox-settings.bat
if exist "%APPDATA%\Mozilla\Firefox" for /D %%F in ("%APPDATA%\Mozilla\Firefox\Profiles\*") do copy /y Example: \\example.local\SysVol\example.local\Policies\{2D1CB1B7-F1BD-4CE8-8B3D-2F9FD06A764C}\User\Scripts\Logon\user.js %%F
Create a new file named user.js with the content to match your domain. (The file must be named user.js)
Commas separate multiple names. example.com is treated as *.example.com
user_pref("network.negotiate-auth.trusted-uris", "example.com,issues.example.com");
Finish the dialogue by opening firefox-settings.bat

The complete policy

Configuring network.negotiate-auth.allow-non-fqdn

In some cases, you may need to set this to 'true' for Firefox to send Kerberos tickets to the site when using short-form URLs.