Authentication now fails as unauthorized. More information to come.
With the upgrade to OpenAM 13.0.0 the Kerberos Trusted Realm attribute is added to the authentication module this requires there to be a list of realms which are deemed to be accessed from the kerberos server, the realm in question should be named after the domain the the KS is on in the case of my testing this was INTERNAL.FORGEROCK.COM.
To resolve the authentication from failing I had to create a realm with the name of the domain and add this to the trusted realms list in the Windows Desktop SSO Module, then on login I had to give this as the realm I wished to authenticate against.
Windows Desktop SSO will no longer work in top level realm.
The docs at http://openam.forgerock.org/doc/bootstrap/admin-guide/index.html#desktop-module-conf-hints do not contain any pertenent information about this and require updating, will be referenced in a seperate bug.