Forum Discussion
Kevin_Stewart
Mar 31, 2014Employee
The biggest difference between the two options (always or on 401), and besides frequency, is the format of the ticket (GSSAPI vs SPNEGO). I can almost certainly guarantee though, unless you've coded it to do so, that APM SSO is NOT handling the JSESSIONID cookie. If you perform a client side capture, or better watch the traffic on both sides of the proxy, you should see the JSESSIONID Set-Cookie header leave the server and make it all the way to the client. You should them see the client send subsequent requests with this cookie.