I will need to take a careful look at this. If you have the time, can you double-check that the Active Directory plugin does not exhibit similar problems? This will be the first item to check, since negotiate-sso-plugin relies on the existing security realm (it does not contain its own security realm).
Notably, negotiate-sso-plugin does call one of the recommended methods (source), however the current version has not been fully released (current release uses reflection to call the method). I need to do a general update and a new release, and see if that resolves the issue first, but testing will take time, which I don't have much available.