I am trying to use PackageNames.Kerberos instead of PackageNames.Negotiate in order to only accept Kerberos authentication.

Ideally, I'd like to do this in a client-agnostic way, where I still return WWW-Authenticate: Negotiate and then I parse the Negotiate <token> header and pass it to AcceptToken, but with PackageNames.Kerberos.

I tried exactly that, but I'm getting Failed to call AcceptSecurityContext. Error Code = '0x80090300' - \"Not enough memory.\"."

Could I get a clarification of the exact use-case for PackageNames.Kerberos and whether what I'm trying to do is supposed to fail by design ? Thanks in advance :)

What you're trying to do doesn't make sense. You can't take a token generated by a client-side Negotiate package and feed it to the server-side Kerberos package. It broke because you misrepresented the content of the token.

A negotiate token has to be fed to the negotiate package; a kerberos token has to be fed to the kerberos package. They're not the same protocol, and the contents of their tokens are completely different. You can't transform a negotiate token into a kerberos token. Once a client has given you a token, you have to deal with it as they've given it to you. The client did everything correct - you said you support negotiate (since you say WWW-Authenticate: Negotiate), so they sent you a negotiate token. You broke your side of the deal by trying to treat a negotiate token as a kerberos token. Don't do that.