This property determines the behavior of a single sign-on LTPA Token2 login.
When this property value is set to true, the token contains a custom cache key, and the custom Subject cannot be found, the token is used to log in directly as the custom information needs to be gathered again. A challenge occurs so that the user to login again. When this property value is set to false and the custom Subject is not found, the LTPA Token2 is used to login and gather all of the registry attributes. However, the token might not obtain any of the special attributes that downstream applications might expect.
By default the configuration script sets a WebSphere Application Server property, com.ibm.ws.security.webChallengeIfCustomSubjectNotFound, to false to ensure that web sessions can seamlessly transfer between two servers in a cluster (for example, in a fail over scenario) without being asked for security credentials. This setting allows the security token used by WebSphere Application Server to be validated correctly, without user input.
If this behavior is not required it is possible to change this property to true, see Set up the System JAAS Login Module for more information on setting Security custom properties. If the property is set to true, when a web session switches from one server in the cluster to another, perhaps due to the original server failing, the user will be asked for security information before being able to proceed.