We were forced to create our own version of NegotiateSecurityFilter and WindowsPrincipal, because HttpSession#setAttribute requires WindowsPrincipal to be serializable.
The fix on WAFFLE code will look like this:
public class WindowsPrincipal implements Serializable
No changes needed to NegotiateSecurityFilter. Our custom version did need the change of course, because we have to use a subclass of WindowsPrincipal. That subclass implements Serializable, and must be coded into our special version of NegotiateSecurityFilter.
After that, WAFFLE 1.3 worked for us. But this fix must be added to WAFFLE itself.