There are three options how to select appropriate keytab element. Two of them are broken when IPv6 address is used:

1) Compare the host name against the host extracted from the request
Hostname is not correctly extracted from http request for Kerberos authentication into Management Console for IPv6 address. For that reason in case when following keytab is set in server configuration, then it is never taken into account in org.jboss.as.domain.http.server.security.SpnegoAuthenticator:
<keytab principal="HTTP/[2620:52:0:105f::ffff:1a]@JBOSS.ORG" path="${KEYTAB_PATH}"/>

Take a look at getHostName method of SpnegoAuthenticator [1]. It expects only IPv4 address. There may be another places where only IPv4 is expected.

2) From for-host attribute
It also is not taken into account when IPv6 address is set in for-hosts attribute:
<keytab principal="HTTP/[2620:52:0:105f::ffff:1a]@JBOSS.ORG" path="${KEYTAB_PATH}" for-hosts="[2620:52:0:105f::ffff:1a]"/>

Log output for this case:
TRACE [org.jboss.as.domain.management.security] (HttpManagementService-threads - 1) No mapping for name 'HTTP/[2620' to KeytabService, attempting to use host only match.
TRACE [org.jboss.as.domain.management.security] (HttpManagementService-threads - 1) No mapping for host '[2620' to KeytabService, attempting to use default.
TRACE [org.jboss.as.domain.management.security] (HttpManagementService-threads - 1) No KeytabService available for host '[2620' unable to return SubjectIdentity.
TRACE [org.jboss.as.domain.http.api] (HttpManagementService-threads - 1) No Subject available for host '[2620'

3) Set for-hosts to "*"
It works fine when for-hosts attribute is set to "*". It means that Kerberos authentication into Management Console with IPv6 works, but selecting appropriate keytab element with IPv6 address is broken.


[1] https://github.com/jbossas/jboss-eap/blob/6.x/domain-http/interface/src/main/java/org/jboss/as/domain/http/server/security/SpnegoAuthenticator.java#L183