[ https://issues.jboss.org/browse/JGRP-2207?page=com.atlassian.jira.plugin.... ] Mirko Streckenbach commented on JGRP-2207: ------------------------------------------ [~belaban] Your example has AUTH configured on both stacks which works fine. My example omits AUTH on the second stack, so only the coordinator has AUTH. In that case it does not work regardless of authenticate_coord (our original code has that set, I shortened it for the example). IMHO the following code is responsible: {code} if(gms_hdr != null && needsAuthentication(gms_hdr)) { AuthHeader auth_hdr=msg.getHeader(id); if(auth_hdr == null) throw new IllegalStateException(String.format("found %s from %s but no AUTH header", gms_hdr, msg.src())); if(!handleAuthHeader(gms_hdr, auth_hdr, msg)) // authentication failed return null; // don't pass up } {code} If this runs on the coordinator and the second stack tries to join an IllegalStateException is thrown and that results in the package dropped, without a rejection being sent. My suggestion would be to change it to something like (untested): {code} if(gms_hdr != null && needsAuthentication(gms_hdr)) { AuthHeader auth_hdr=msg.getHeader(id); if(auth_hdr == null) { log.warn(...) sendRejectionMessage(gms_hdr.getType(), msg.getSrc(), "authentication failed"); return null; } if(!handleAuthHeader(gms_hdr, auth_hdr, msg)) // authentication failed return null; // don't pass up } {code} However, this might have other side effects well beyond my understanding of JGroups We are going to create distributed locks on top of the example, so a rogue cluster does not sound too good for us. Thanks for your hints regarding AUTH and encryption. This is not something we plan on using right now, but might be a topic for the future. -- This message was sent by Atlassian JIRA (v7.2.3#72005)