Kerberos SSO issues

A quick way to test server side Kerberos is to simply inject arbitrary username and domain session variables before the Allow block in the VPE (overriding whatever the client side process is creating). Also notice the Credential Source fields in the Kerberos SSO profile configuration. These are the session variables the SSO will use to do Kerberos. I generally change the "session.sso.token.last.username" to "session.logon.last.username", because it makes more sense semantically next to session.logon.last.domain, but it really doesn't matter. So if you create a variable assign agent directly before the Allow block in the VPE, and assign session.logon.last.username (or session.sso.token.last.username depending on the SSO profile), and session.logon.last.domain with arbitrary name and domain values, you'll be able to directly test the server side Kerberos authentication. You could also technically remove all of the client side authentication (start-variable assign-allow) so that your test is only influenced by the server side processes.