When Marcus and I discussed this issue earlier today, we first considered adding some kind of check (for example, to make sure the login module is not the IBM Kerberos LM) in the AuthenticationInfo class before setting the security-domain name option, to avoid this kind of problem. This approach has a clear downside: if later on we find out about another login module that doesn't accept extra options, we will have to change our check and the code will have to be re-compiled. Thus, I think the approach Marcus is suggesting is better, as it will allow users to specify that they don't want security domain name to be automatically inserted as a module option in the configuration file. This way, no code has to re-compiled or changed. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4104344#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...