Use different separators for service-type and service-name in Kerberos SPN.

net/http/http_auth_handler_negotiate.cc

Index: net/http/http_auth_handler_negotiate.cc
diff --git a/net/http/http_auth_handler_negotiate.cc b/net/http/http_auth_handler_negotiate.cc
index d05dfd96f0f0cdb27c1b6150e468362270ef49c3..28020eac6b1459e7060bf1d64f95d1611cce5767 100644
--- a/net/http/http_auth_handler_negotiate.cc
+++ b/net/http/http_auth_handler_negotiate.cc
@@ -111,7 +111,8 @@ bool HttpAuthHandlerNegotiate::AllowsDefaultCredentials() {
 
 std::wstring HttpAuthHandlerNegotiate::CreateSPN(
     const AddressList& address_list, const GURL& origin) {
-  // Kerberos SPNs are in the form HTTP/<host>:<port>
+  // Kerberos Web Server SPNs are in the form HTTP/<host>:<port> through SSPI,
+  // and in the form HTTP@<host>:<port> through GSSAPI
   //   http://msdn.microsoft.com/en-us/library/ms677601%28VS.85%29.aspx
   //
   // However, reality differs from the specification. A good description of
@@ -143,10 +144,16 @@ std::wstring HttpAuthHandlerNegotiate::CreateSPN(
   std::string server;
   if (!address_list.GetCanonicalName(&server))
     server = origin.host();
+#if defined(OS_WIN)
+  static const char kSpnSeparator = '/';
+#elif defined(OS_POSIX)
+  static const char kSpnSeparator = '@';
+#endif
   if (port != 80 && port != 443 && use_port_) {
-    return ASCIIToWide(StringPrintf("HTTP/%s:%d", server.c_str(), port));
+    return ASCIIToWide(StringPrintf("HTTP%c%s:%d", kSpnSeparator,
+                                    server.c_str(), port));
   } else {
-    return ASCIIToWide(StringPrintf("HTTP/%s", server.c_str()));
+    return ASCIIToWide(StringPrintf("HTTP%c%s", kSpnSeparator, server.c_str()));
   }
 }