Getting authenticated against NTLM using the by-pass URL does not prevent Alfresco to request a Kerberos ticket later on when SSO is enabled.

Summary:
Even though you successfully getting authenticated with NTLM using the by-pass URL, as soon as you click on a link on the Explorer UI, Alfresco is requesting a Kerberos ticket to the client. This will lead to get authenticated as the windows user via Kerberos SSO and not anymore as the NTLM user. Therefore it is impossible to browse Alfresco Explorer as NTLM user if Kerberos SSO is enable when accessing via a client part of the domain.

Steps to reproduce:
1) Set up Kerberos SSO,

authentication.chain=kerberos1:kerberos,alfrescoNtlm1:alfrescoNtlm
ntlm.authentication.sso.enabled=false
kerberos.authentication.sso.enabled=true

2) Ensure that you have at least 1 user on the AD 'aduser1' and 1 user is created as NTLM user 'user1' (also reproducible with default admin user),
3) Logon to the windows machine as the LDAP user 'aduser1',
4) Using Firefox 31 & IE 11 browse to http://alfresco:8080/alfresco/faces/jsp/login.jsp
5) Authenticate as the NTLM user 'user1',
6) After successfully being authenticated as the NTLM user 'user1' click on "My Alfresco" or any links within the UI.

Current behavior:
You are not anymore connected as 'user1' but as 'aduser1',

Expected behavior:
You should be able to browse Alfresco explorer as the NTLM 'user1',

Use case:
The customer is having a 3rd party application accessing to Alfresco as NTLM user. For maintenance purpose some end user need to have access to Alfresco via this NTLM user.
So far the only workaround found is to use another web browser that does not have SSO configured. Here OOTB Chrome for instance.
This cannot be reproduce with Alfresco Share.

Supporting evidence:
– Network Dump.
– Catalina.out
– JmxDump