The most painful part of getting Kerberos logins working on web apps in one of my jobs was getting Firefox to accept Negotiate headers from our domains and actually perform GSSAPI exchange using users keytab.
Windows has it somewhat centralized and well supported across many applications (especially those that simply use system-provided HTML widget), and at least Chrome automatically picks up system-wide config.
The problematic part wasn't handling Negotiate w/ GSSAPI on server side, it was handling Negotiate w/ GSSAPI on client side.
On keycloak side, it took a small configuration change (provide it with keytab, pretty much). By also using OIDC with Keycloak, I could ensure that access based on LDAP group membership was checked before accessing the application.
Hmm? All browsers, and curl, support Negotiate. There's support in many HTTP libraries for various languages as well. It's not universal though, that's for sure. At $WORK we have a [proprietary] client-side proxy to do Negotiate for apps that don't.
