Hello, i found some hints in answers.sap.com but nothing helped me.

The situation is this: I have a JEE application with Tomcat as servlet-container using Java 8.
I followed https://spnego.sourceforge.net/ to set up Kerberos-Authentication with delegation of credentials.
(Just for completeness: For using Edge as Browser I had to add a registry-entry to make delegation possible.)

In the last step i now have:

assert httpRequest instanceof DelegateServletRequest == true;
DelegateServletRequest dsr = (DelegateServletRequest) httpRequest;
GSSCredential gssCredential = dsr.getDelegatedCredential();
Subject subject = GSSUtil.createSubject(gssCredential.getName(), gssCredential);

The Subject-Instance explicitly contains the UPN (User Principal Name) of the signed in (delegated) user. (myuser@MYDOMAIN.DE)Now I use the Subject-Instance to change the identity like this:

Subject.doAsPrivileged(subject, action);

The 'action' contains the build of the destination including the destination-properties and calling destination.getAttributes().

The connection to SAP is built up using SNC! Setting the SNC-properties accordingly.

The Username/Password properties remain empty.

The property 'jco.client.snc_myname' contains: "p:CN=myuser@MYDOMAIN.DE".

I expected the SAP-call to be executed as the delegated user. But the sap-call always is executed as the account the Tomcat runs under.

How can I hand over the Kerberos-Ticket to the SAP JCo?

Googeling around I found nothing concrete. But I now guess, the Kerberos-Ticket has to be stored in the mslsa-Ticket-Cache on the java-side. And on the 'sapcrypto.dll'-side the ticket is fetched from the cache by using the 'jco.client.snc_myname'-property. But in the current versions of Windows the 'Credential Guard' prevents saving the ticket in the mslsa.I don't know how to go on from here.

Please help, I spent several days to find a solution.