I have problem to achieve this scenario with elytron:

1. Client sends non kerberos OID mechanism as most preferred with non kerberos ticket
2. Server response with "continuation required"
3. Client sends kerberos ticket
4. Server response with 401 instead of 200

Actually, it is scenario tested in [1]. It worked correctly in EAP 7.0 . Also works with elytron when client sends non-kerberos OID mechanism with kerberos ticket.

Problem as I see is that SpnegoAuthenticationMechanism:

1. Creates gssContext with first provided ticket (non-kerberos) and sends "continuation required"
2. Client provide proper kerberos ticket, but that anyway leads to 401 bare challenge, because gssContext was already created in first step and is not tried to make again.

Setting to critical as it behaves differently compared to EAP 7.0 and IMHO it doesn't comply to spec [2]. Similar error was resolved in EAP 7.0 (JBEAP-3709) as blocker because customer case existed for that.

[1] https://github.com/wildfly/wildfly/blob/15f9a4f2b5a10cc3acbaa2df57d5cc13db50ff43/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/security/loginmodules/negotiation/SPNEGOLoginModuleTestCase.java#L344
[2] https://tools.ietf.org/html/rfc4178