Currently Elytron SPNEGO authnetication is tcp connection scoped, whereas legacy SPNEGO for applications is http-session scoped.

This different approach can bring these behaviour differences after migration from legacy to Elytron:

• if deployment is behind reverse proxy it can lead to user "cross talk" (different http session, but same TCP connection) [1]
• more frequent kerberos negotiation cycles
• load balancer switches to another node (same http session, but new TCP connection)
• new tab in browser (same http session, but new TCP connection) [2]

[1] JBEAP-11882 - (7.1) Using a proxy and spnego on the EAP 7 management console leads to user "cross talk"
[2] https://superuser.com/questions/1055281/do-web-browsers-use-different-outgoing-ports-for-different-tabs