Browsers only allow sending service tickets to a Kerberos service when they are explicitly configured to do so.

The configuration varies between browsers, but typically involve adding the site in the right Security Zone, or adding the site to some type of whitelist. 

How it works

Browser configuration is best managed centrally by the organisation, using Active Directory Group Policy Objects or similar technologies.

This examples shows how some common browsers are configured in a Windows environment. 

Edge, IE and Chrome all inspect the Site to Zone Assignment List policy, allowing Kerberos if the site is in the Local Intranet Security Zone

Firefox inspects the SPNEGO policy, allowing Kerberos if the site is in the network.negitiate-auth.trusted.uris whitelist.

Learn more

To enable browser support for Kerberos SSO with your Atlassian application, read and follow instructions for the browsers you wish to support: