Kerberos

WWW-Authenticate: Negotiate (for Kerberos SSO) not working in Firefox?

In connection with the plans to transfer everything to SSO in general, I am gradually debugging issues related to this. An important issue is working with corporate http(s) resources.
The test configuration is as follows:
on both Gentoo Linux machines, world rebuilt with USE="kerberos", Kerberos library - mit-krb5-1.9.4-r1
web server - Apache 2.2.23, mod_auth_kerb 5.3
browser - Firefox 10.0.5 (ESR)
KDC - MIT, on the same machine as the web server.
The user successfully receives the TGT using kinit on both machines. Everywhere kadmin works correctly. Other services that use Kerberos (for example, ssh, nfs4) work, while on the client side, their service tickets appear in the ticket cache, as expected.
(all domain names below are fictitious)
.htaccess is the following:

AuthType Kerberos
AuthName "Kerberos Login"
KrbAuthRealms MYDOMAIN.SMTH.RU
require valid-user
KrbServiceName http
Krb5Keytab /etc/apache2/krb5.keytab
KrbMethodK5Passwd off
KrbSaveCredentials on

The following settings are made in about:config on the client:
(default)
network.negotiate-auth.allow-proxies = (boolean) true
network.negotiate-auth.delegation-uris = (string) ""
network.negotiate-auth.gsslib = (string) ""
network.negotiate-auth.using-native-gsslib = (boolean) true
(set by user)
network.negotiate-auth.trusted-uris = (string)
In the last parameter, I tried the following options:

http://www.mydomain.smth.ru/, www.mydomain.smth.ru, mydomain.smth.ru, srv.mydomain.smth.ru

(the DNS zone mydomain.smth.ru has a record www CNAME srv)
If you enable KrbMethodK5Passwd on in .htaccess, then the usual Basic authentication occurs, login-password is sent to the server in clear text. There, judging by the KDC log, he already receives all the tickets (user, and then the service user). In short, it works, but the main task - SSO and security (do not send the password over the network) - has not been solved.
By the way, for some reason, although I'm referring to www.mydomain.smth.ru, I had to add the service principal to the keytab exactly http/[email protected]; apparently it's because of the www CNAME srv in the DNS zone.
If KrbMethodK5Passwd is off, nothing happens. Server-client communication looks like this (.htaccess is in krb5):
GET /krb5/phpinfo.php HTTP/1.1
Host: www.mydomain.smth.ru
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0.5) Gecko/20100101 Firefox/10.0.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/* ;q=0.8
Accept-Language: ru-ru,ru;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cache-Control: max-age =0
HTTP/1.1 401 Authorization Required
Date: Sat, 19 Jan 2013 09:21:52 GMT
Server: Apache
WWW-Authenticate: Negotiate
Content-Length: 470
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Authorization Required</title>
</head><body>
<h1>Authorization Required</h1>
<p>This server could not verify that you
are authorized to access the document
requested. Either you supplied the wrong
credentials (eg, bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
<hr>
<address>Apache Server at www.mydomain.smth.ru Port 80< /address>
</body></html>
And then Fx shows this page without trying to interact further.
TGT present, klist output:
Ticket cache: FILE:/tmp/krb5cc_1001
Default principal: [email protected]
Valid starting Expires Service principal
01/19/13 10:21:28 01/20/13 10:21:28 krbtgt/[email protected]
renew until 01/19/13 10:21:28
Question: how to force Fx still use Negotiate auth?