[brazzledazzle]

Probably getting you a kerberos ticket (which would subsequently be available to other services like explorer). Hitting it with another browser (which need to be configured to use Kerberos) probably led to an NTLM auth in response to the Negotiate header. NTLM isn’t a global credential and doesn’t get a kerberos ticket.

[vetinari]

Both Firefox and Chrome can get the kerberos ticket themselves, but it is necessary to whitelist sites that can use spnego. For Firefox, the settings are separate for ntlm and spnego, so one can be disabled and the other whitelisted.

Interestingly, Edge for Linux doesn't support spnego at all.

[brazzledazzle]

This is mostly true, however there’s a major caveat with chrome: your ticket can’t be too large. Too many group memberships and kerberos fails in chrome.

The lack of support for spnego in edge for linux isn’t entirely surprising though I am curious what the excuse is.