Currently Elytron SPNEGO authnetication is tcp connection scoped, whereas legacy SPNEGO for applications is http-session scoped.
This different approach can bring these behaviour differences after migration from legacy to Elytron:
- if deployment is behind reverse proxy it can lead to user "cross talk" (different http session, but same TCP connection) 
- more frequent kerberos negotiation cycles
- load balancer switches to another node (same http session, but new TCP connection)
- new tab in browser (same http session, but new TCP connection) 
 JBEAP-11882 - (7.1) Using a proxy and spnego on the EAP 7 management console leads to user "cross talk"