If a Java client does the kerberos authentication to EAP and the HTTP SPN contains IPv6 address, then authentication fails because IBM implementation of JGSSAPI strips square brackets from the SPN.

e.g. server name is initialized to "HTTP/[2620:52:0:2804:2430:ba4:52c6:8453]" in the client, but during GSSContext.initSecContex(...) it's changed to "HTTP/2620:52:0:2804:2430:ba4:52c6:8453"

The problem comes from a method Krb5Name.getHostBasedNameString(), which is called from:
  com.ibm.security.jgss.mech.krb5.Krb5Name.canonicalize
  com.ibm.security.jgss.mech.krb5.Krb5Name.init (Krb5Name.java:260)
  com.ibm.security.jgss.mech.krb5.Krb5Name.<init> (Krb5Name.java:265)
  com.ibm.security.jgss.mech.krb5.Krb5MechFactory.getNameElement (Krb5MechFactory.java:155)
  com.ibm.security.jgss.GSSManagerImpl.createMechName (GSSManagerImpl.java:262)
  com.ibm.security.jgss.GSSNameImpl.createMechName (GSSNameImpl.java:549)
  com.ibm.security.jgss.GSSNameImpl.canonicalize (GSSNameImpl.java:275)
  com.ibm.security.jgss.mech.spnego.SPNEGOContext.createContext (SPNEGOContext.java:964)
  com.ibm.security.jgss.mech.spnego.SPNEGOContext.getPreferredMech (SPNEGOContext.java:1,185)
  com.ibm.security.jgss.mech.spnego.SPNEGOContext.createInitToken (SPNEGOContext.java:1,132)
  com.ibm.security.jgss.mech.spnego.SPNEGOContext.initSecContext (SPNEGOContext.java:529)
  com.ibm.security.jgss.GSSContextImpl.initSecContext (GSSContextImpl.java:382)
  com.ibm.security.jgss.GSSContextImpl.initSecContext (GSSContextImpl.java:331)

Workaround:
Use Oracle JDK or OpenJDK on the client.

This issue doesn't root in EAP, but we hit this with EAP testsuite in tests which employs Kerberos authentication.