Running Jenkins as a service using the standard method (i.e. running it directly, not in a container)
ActiveDirectory plugin was/is working fine. I added the "Negotiate SSO Plugin" and it immediately started returning 413 errors to all requests, which indicates that the header is too large (a known problem with Kerberos).
It does this to all calls from IE and Chrome. Checking the documentation for Waffle, there are various methods of increasing the header size - but I can't see how to do so for the version of Jetty that Jenkins is embedded in: