I have problem to achieve this scenario with elytron on IBM java:

1. Using IBM Java
2. Client sends non kerberos OID mechanism as most preferred with non kerberos ticket
3. Server response with "continuation required"
4. Client sends kerberos ticket
5. Server response with 401 instead of 200
6. In server there is error

   10:43:35,570 TRACE [org.wildfly.security] (default task-3) GSSContext message exchange failed: org.ietf.jgss.GSSException, major code: 10, minor code: 0
   	major string: Defective token
   	minor string: Bad token tag: -95
   	at com.ibm.security.jgss.i18n.I18NException.throwGSSException(I18NException.java:5)
   	at com.ibm.security.jgss.TokenHeader.a(TokenHeader.java:33)
   	at com.ibm.security.jgss.TokenHeader.a(TokenHeader.java:102)
   	at com.ibm.security.jgss.TokenHeader.<init>(TokenHeader.java:70)
   	at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:119)
   	at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:186)
   	at org.wildfly.security.http.impl.SpnegoAuthenticationMechanism.evaluateRequest(SpnegoAuthenticationMechanism.java:138)
   	at org.wildfly.security.http.util.SetMechanismInformationMechanismFactory$1.evaluateRequest(SetMechanismInformationMechanismFactory.java:115)
   	at org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$1.evaluateRequest(SecurityIdentityServerMechanismFactory.java:77)
   	at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.authenticate(HttpAuthenticator.java:106)
   	at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.access$100(HttpAuthenticator.java:90)
   	at org.wildfly.security.http.HttpAuthenticator.authenticate(HttpAuthenticator.java:74)
   	at org.wildfly.elytron.web.undertow.server.SecurityContextImpl.authenticate(SecurityContextImpl.java:82)
   

Basically, it is same scenario as tested in [1] (for legacy security).

This scenario works correctly

• on Oracle and OpenJDK java with elytron in EAP 7.1
• with legacy security on IBM java in EAP 7.1

Setting high priority as:

• It works in legacy security, so customers won't be able to migrate
• Similar error was resolved in EAP 7.0 (JBEAP-3709) as blocker because customer case existed for that.

[1] https://github.com/wildfly/wildfly/blob/15f9a4f2b5a10cc3acbaa2df57d5cc13db50ff43/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/security/loginmodules/negotiation/SPNEGOLoginModuleTestCase.java#L344
[2] https://github.com/wildfly/wildfly/blob/15f9a4f2b5a10cc3acbaa2df57d5cc13db50ff43/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/security/loginmodules/negotiation/SPNEGOLoginModuleTestCase.java#L357