Hello Thibault, thanks for your answer. Unfortunately your idea doesn't help me, because the problem is not the web-layer, but the ejb layer. My web-application makes a call to a stateless session bean (on node1 of the cluster) and 15 minutes later it makes another call to the bean (but this time the call goes to node2 in the cluster). The web-appliaction is clever enough to recognize that's the same user-session and still has the principal. But the call to the second ejb gets intercepted by JBoss and the username and credentials (which got distributed in the cluster) are validated again...but unfortunately the credentials are too old now (a standard kerberos service ticket has to be validated within 5 minutes after it has been requested). The Solution would be that the "jboss.security:service=JaasSecurityManager" MBean, configured in the jboss-service.xml in the conf-dir of a JBoss Server doesn't replay username and credential from the cache, but just keeps the information that the current user is already authenticated. best regards Jochen View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4008148#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...