I am attempting to set up a Kerberos SSO application using JBoss, ActiveDirectory and Firefox version 48. I have configured JBoss and AD and am now trying to access the application (http://gig-jboss-dev.ajga.com/CBN) through FireFox. I added the domain to the network.negotiate-auth.trusted-uris as ".ajga.com". When I attempt to access the site I can see in Fiddler that the server is returning the 401 with the WWW-Authenticate set to Negotiate. But the browser sends back a NTLM token, not the kerberos ticket. I have a application on another server that was set up a long time ago and using the procedure above it works perfectly (http://cbn.ajga.com). Is this a problem with my Firefox browser or my jboss server configuration? How is the decision made to send the Kerberos ticket in Firefox? I have tried the negotiateauth:5 troubleshooting steps and it only tells me that I am sending a 40 character token, which I already know. I don't see anything in the file telling me why it is sending that token.