- the client sends a HTTP request.
- the server answers with "HTTP/1.1 401 UNAUTHORIZED" and
  WWW-Authenticate: Negotiate
- the client then sends a new request with
  Authorization: Negotiate and ~1000 byte cipher material

  initiator_name = pmc@INTRA.PHASE23
     -> correct, that is me
  lifetime = 23895
     -> correct, that is the remaining lifetime
  target_name = HTTP/admn-e.intra.daemon.contact@INTRA.PHASE23
     -> correct, that is the application server
  delegated_creds = None
     -> not correct, missing.

  ~2200 byte cipher material instead of 1000 byte.

  initiator_name = pmc@INTRA.PHASE23
  lifetime = 20718
  target_name = HTTP/admn-e.intra.daemon.contact@INTRA.PHASE23
  delegated_creds = <gssapi.creds.Credentials object at 0x2f31e737c760>

 network.negotiate-auth.trusted-uris:      admn-e.intra.daemon.contact
 network.negotiate-auth.delegation-uris:   admn-e.intra.daemon.contact

I had the same error again. I tried to connect the application server. It failed with a JSON exception. I started a different FF profile (i.e. different process). It also failed. I issued a new kerberos ticket and restarted the FF. It still failed. I restarted the application server. It still failed. The exact error on the server log is "Delegated credentials not supplied." and afterwards "Object of type Exception is not JSON serializable" and other bogus. The first message is obviousely the relevant one. I rebooted another desktop machine also with FF 140.7esr installed and issued a new ticket there. It failed all the same. I started tcpdump -A (full HTTP headers) and watched the traffic to the application server. A correct negotiation is happening: - the client sends a HTTP request. - the server answers with "HTTP/1.1 401 UNAUTHORIZED" and WWW-Authenticate: Negotiate - the client then sends a new request with Authorization: Negotiate and ~1000 byte cipher material I hacked into the server code to observe what is actually received in the (python) gssapi.sec_contexts.SecurityContext object. It is this: initiator_name = pmc@INTRA.PHASE23 -> correct, that is me lifetime = 23895 -> correct, that is the remaining lifetime target_name = HTTP/admn-e.intra.daemon.contact@INTRA.PHASE23 -> correct, that is the application server delegated_creds = None -> not correct, missing. I deinstalled FF 140.7esr on a desktop machine, and reinstalled FF 140.5esr. And the connection worked flawlessly on the first try. The delegated ticket was received and is now stored server-side. Now deleting it and evaluating anew:: In tcpdump -A the Authorization: Negotiate header now contains ~2200 byte cipher material instead of 1000 byte. And the server receives this: initiator_name = pmc@INTRA.PHASE23 lifetime = 20718 target_name = HTTP/admn-e.intra.daemon.contact@INTRA.PHASE23 delegated_creds = <gssapi.creds.Credentials object at 0x2f31e737c760> '''Please help me evaluate: '''what else can this be than a problem introduced in FF between 140.5esr and 140.7esr ? I have two options set in the about:config: network.negotiate-auth.trusted-uris: admn-e.intra.daemon.contact network.negotiate-auth.delegation-uris: admn-e.intra.daemon.contact But now things behave like when delegation-uris were not set!