Attribute for-hosts for Security Realm with Kerberos does not select keytab in defined order -------------------------------------------------------------------------------------------- Key: WFCORE-820 URL: https://issues.jboss.org/browse/WFCORE-820 Project: WildFly Core Issue Type: Bug Components: Domain Management Affects Versions: 2.0.0.Alpha9 Reporter: Tomas Hofman Assignee: Tomas Hofman Fix For: 2.0.0.Alpha11 This was cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1228228 Attribute for-hosts for Security realm with Kerberos does not select keytab in order which is described in $EAP_SERVER/docs/schema/jboss-as-config_1_7.xsd (begin on line 456). According to this XSD hostname values from for-hosts attributes (steps 1. nad 2.) are iterated before values obtained from principal (steps 3. and 4.). In case when keytab element (denote as keytab1) contains for-hosts attribute with hostname EXAMPLE and some another keytab element (denote as keytab2) contains principal HTTP/EXAMPLE(a)SOMETHING.COM then keytab2 is selected instead of keytab1. It means step 3. is performed before step 2. Configuration for mentioned above example: {code:xml} <server-identities> <kerberos> <keytab principal=&quot;HTTP/ANYVALUE(a)SOMETHING.COM&quot; path="/path/to/krb1.keytab" for-hosts="EXAMPLE"/> <keytab principal=&quot;HTTP/EXAMPLE(a)SOMETHING.COM&quot; path="/path/to/krb2.keytab" for-hosts="SOMEHOST"/> </kerberos> </server-identities> {code} In case when hostname in for-hosts contains also protocol (HTTP/EXAMPLE instead of EXAMPLE) then it works correctly.