OpenCms: Kerberos SSO authentication with httpd+Tomcat

I have a standalone httpd+Tomcat 8.5.65 installation on OpenJDK 11 with OpenCms 11.0.2 for my client's internal website.

They have a LDAP network and they're requesting the automated logon using Kerberos (krb5).

We configured SPNego and it works on Tomcat: a test JSP page including the code:

 <%= request.getRemoteUser() %> 

works as intended (prints the username) when accessed through tomcat directly (port 8080). But when I access OpenCms via Tomcat, this authentication doesn't work. Specifically, the CmsJspLoginBean object's isLoggedIn() method returns false. In other words, the current user is [Guest].

Is there anything I have to do to "connect" OpenCms to Kerberos on the OpenCms side, knowing that Tomcat is already correctly configured?

Also: OpenCms has the LDAP Connector installed and it works, I don't think it has anything to do with this.

Yes, you need to map the remote user to the OpenCms user registry and upon request need to create a session with OpenCms for this remote user. Ideally, this is done with your own user authenticator implementation, which results in a true seamless SSO experience (no rocket science). Let me know if you need further help with this.