Since Version 4 of JBossAS we had our own implementations of a SPNEGOAuthenticator and SPNEGOLoginModule. While trying to migrate to EAP 6 I wanted to switch to your imlementation, because it is officially supported.

Unfortunately I find that your implementation is not yet finished because it lacks in a fallback solution that is able to validate username/password from BASIC/FORM authentication with ActiveDirectory.

Since I had this feature in my old implementation I want to offer to contribute it here to the Negotiation component of the project (unfortunately there is no JIRA component for Negotiation).
I think this would be valuable for anybody using SPNEGO.

My implementation would even word for remote-ejb-calls (with plain username password sent OR when sending a kerberos ticket in the password field)

If you are interested I'll upload my code and configuration instructions (RedHat employees can already see it in Support Case 00640390).