Chrome Version       : 60.0.3112.90 (with --headless option)
Other browsers tested:
     Chrome: 60.0.3112.90 (without --headless option) OK

What steps will reproduce the problem?
(1) Be inside a Windows/Active Directory domain
(2) Get a standard Debian VM running, install google-chrome-stable and krb5-user
(3) Configure Kerberos in /etc/krb5.conf to match your AD domain (realm = uppercase domain, KDC = Domain controller)
(4) Configure the AuthSchemes and AuthServerWhitelist policies for your domain (based on https://www.chromium.org/administrators/linux-quick-start)
(5) Get a TGT from the KDC: kinit user@REALM
(6) Perform a request on a resource that requires Negotiate authentication against the AD domain: google-chrome-stable --headless --disable-gpu <protected resource>

What is the expected result?
- Chrome receives a 401 response with a Negotiate authentication challenge (WWW-Authenticate: Negotiate)
- As the Negotiate scheme is whitelisted for this domain, chrome proceeds with SPNEGO authentication
- The protected resource is displayed

What happens instead?
In GUI Chrome: works perfectly

In Headless Chrome: 
- No new request is issued after the initial 401 response
- The page displayed is the server's 401 error page
- The following log appears:
[VERBOSE1:http_auth.cc(47)] Unable to create AuthHandler. Status: net::ERR_INVALID_RESPONSE Challenge: Negotiate



The use case for Negotiate in headless mode is for a CI server testing an Angular app, which uses a .NET backend served by IIS and protected by AD authentication over Negotiate/Kerberos. The idea would be to login non-interactively (kinit with keytab file) at the beginning of an e2e test run, and have chrome use these credentials when performing the backend calls.

Please let me know if any more information is needed, thanks.