On a recent support case the costumer is using IBM's Kerberos login module which was working fine in JBoss AS 4.0.4. Now he migrated to JBoss AS 4.2.0 and the login module fails with this stack trace: javax.security.auth.login.LoginException: Bad JAAS configuration: unrecognized option: jboss.security.security_domain at com.ibm.security.jgss.i18n.I18NException.throwLoginException(I18NException.java:7) at com.ibm.security.auth.module.Krb5LoginModule.b(Krb5LoginModule.java:622) at com.ibm.security.auth.module.Krb5LoginModule.a(Krb5LoginModule.java:416) at com.ibm.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:238) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:64) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:615) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:795) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:209) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:709) at java.security.AccessController.doPrivileged(AccessController.java:242) at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:706) at javax.security.auth.login.LoginContext.login(LoginContext.java:603) at org.epoline.security.sso.spnego.Configuration.login(Configuration.java:305) ... 101 more This option is related to this jira issue: http://jira.jboss.com/jira/browse/JBAS-1477 To resolve this issue AuthenticationInfo now puts an extra entry in all login modules options map to set the security-domain name. This extra entry is not recognized as a valid option in this specific login module thus the exception. The problem is specific to this particular login module but could lead to problems in others as well. A proposed solution could be modify the security-config schema so that an extra attribute is included in the <login-module> element. This attribute should be a boolean indicating if the login module accepts the security-domain name entry in the options map. The attribute should not be required and defaults to true, this way everything keeps working as they are. Whenever this problem occurs, the costumer has the option to set this attribute to false so that AuthenticationInfo doesn't put the entry in the map. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4104337#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...