[vetinari]

Oh yes, somebody implements it, many certainly heard of Active Directory ;) (or maybe even of FreeIPA).

However, it is not really safe to expose it publicly, so it is stuck to intranet only. Random services can ask the user for a ticket (domain does not have to match the realm!), so in your browser you need to whitelist hosts that are allowed to ask for SPNEGO. It does not help that both mobile platforms and macOS insist on using MDM to join the domain.

So if you manage to skip all the hurdles, you can use SSO like Keycloak that does accept SPNEGO for the user login and use it for SAML2/OIDC for all the other services. This way, your ad-joined-desktop/gnome-online-accounts/nomad.app login can work in the brave new world of web apps and apis outside your intranet.

[XorNot]

There's not really much evidence that Kerberos was ever insecure to expose publicly - this seems to be more heresay then any actual problem.

The biggest problem is the client setup story - and that honestly has more to do with the very inconsistent support in the application space then any real restrictions. It's "enterprisey" and has no story where the user owns their own device (then again so is SSO and Microsoft would like all Windows machines to be joined to the big microsoft.com realm in the sky anyway).