I used it to authenticate against some webdav intranet sites hosted on Sharepoint Online. Formerly on a SSO standard windows AD integrated system you needed to open internet explorer once. It did some arcane voodoo in the background you didn't need to do anything with it, just close it again. But if you did that you could connect to Sharepoint sites through the file explorer via webdav. This process needed to be repeated every other week when the arcane voodoo authentication needed to be refreshed.
Probably getting you a kerberos ticket (which would subsequently be available to other services like explorer). Hitting it with another browser (which need to be configured to use Kerberos) probably led to an NTLM auth in response to the Negotiate header. NTLM isn’t a global credential and doesn’t get a kerberos ticket.
Both Firefox and Chrome can get the kerberos ticket themselves, but it is necessary to whitelist sites that can use spnego. For Firefox, the settings are separate for ntlm and spnego, so one can be disabled and the other whitelisted.
Interestingly, Edge for Linux doesn't support spnego at all.
This is mostly true, however there’s a major caveat with chrome: your ticket can’t be too large. Too many group memberships and kerberos fails in chrome.
The lack of support for spnego in edge for linux isn’t entirely surprising though I am curious what the excuse is.
