In order to get the jboss-negotiation-toolkit.war working under AS7.1, in addition to the above, I had to add an extra login-module to the SPNEGO security-domain.
<login-module code="RealmUsersRoles" flag="required">
<module-option name="usersProperties" value="/path/to/application-users.properties"/>
<module-option name="rolesProperties" value="/path/to/application-roles.properties"/>
<module-option name="realm" value="ApplicationRealm"/>
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
This is basically a copy of the entry for the "other" domain. I had to add the full path to the two properties files as it didn't like ${jboss.server.config.dir} (I was running on Windows using standalone.bat).
Lastly, I had to add the user entry to application-roles.properties
username@DOMAIN=Users