Elytron, Unable to authenticate with SPNEGO on IBM java if obtain-kerberos-ticket = true ---------------------------------------------------------------------------------------- Key: WFLY-8295 URL: https://issues.jboss.org/browse/WFLY-8295 Project: WildFly Issue Type: Bug Components: Security Reporter: Martin Choma Assignee: Darran Lofthouse Priority: Critical Labels: ibm-java, kerberos On IBM java when obtain-kerberos-ticket is set to true user always get {code} javax.security.auth.login.LoginException: Bad JAAS configuration: credsType and keytab values are not compatible {code} According to ibm documentation [1] credsType=initiator and useKeytab are really incompatible. This constraint can't be avoided once obtain-kerberos-ticket = true, because keytab path is required in model. {code} "path" => { "type" => STRING, "description" => "The path of the KeyTab to load to obtain the credential.", "attribute-group" => "file", "expressions-allowed" => true, "required" => true, "nillable" => false, "min-length" => 1L, "max-length" => 2147483647L, "access-type" => "read-write", "storage" => "configuration", "restart-required" => "resource-services" }, {code} And keytab is always set into Kerberos login module options {code:title=GSSCredentialSecurityFactory.java} if (IS_IBM) { options.put("noAddress", "true"); options.put("credsType", (isServer && !obtainKerberosTicket) ? "acceptor" : "initiator"); options.put("useKeytab", keyTab.toURI().toURL().toString()); } {code} [1] https://www.ibm.com/support/knowledgecenter/SSYKE2_8.0.0/com.ibm.java.sec... I am not setting to blocker just because I am not sure about importance of obtain-kerberos-ticket. See my question JBEAP-9292.