does this mean that I have to specifiy the principal for the windows user that get's authenticated via SPNEGO in both the spnego-roles.properties and in login-config.xml in the UsersRolesLoginModule ? My UsersRolesLoginModule looks like this: </login-module> <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required"> <module-option name="password-stacking">useFirstPass</module-option> <module-option name="principal">hausberger@MYDOMAIN</module-option> <module-option name="usersProperties">props/spnego-users.properties</module-option> <module-option name="rolesProperties">props/spnego-roles.properties</module-option> </login-module> and my spnego-roles.properties like this: hausberger@MYDOMAIN=Users when I access the negotion toolkit page I get this in the server.log: 2008-07-31 16:45:33,865 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, sub Principal: hausbergers@MYDOMAIN Principal: Roles(members) Principal: CallerPrincipal(members:hausbergers@MYDOMAIN) when I access the "Secured" page, I get this in the server.log: 2008-07-31 16:47:13,205 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null 2008-07-31 16:47:13,205 TRACE [org.jboss.security.SecurityAssociation] popRunAsIdentity, runAs=null 2008-07-31 16:47:13,205 TRACE [org.jboss.security.SecurityAssociation] clear, server=true 2008-07-31 16:47:14,046 TRACE [org.jboss.security.negotiation.spnego.SPNEGOAuthenticator] Authenticating user 2008-07-31 16:47:14,046 TRACE [org.jboss.security.negotiation.spnego.SPNEGOAuthenticator] Already authenticated 'hausbergers@MYDOMAIN' 2008-07-31 16:47:14,046 TRACE [org.jboss.security.SecurityAssociation] clear, server=true 2008-07-31 16:47:14,126 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null 2008-07-31 16:47:14,127 TRACE [org.jboss.security.SecurityAssociation] popRunAsIdentity, runAs=null 2008-07-31 16:47:14,127 TRACE [org.jboss.security.SecurityAssociation] clear, server=true 2008-07-31 16:47:14,129 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null 2008-07-31 16:47:14,129 TRACE [org.jboss.security.SecurityAssociation] popRunAsIdentity, runAs=null 2008-07-31 16:47:14,129 TRACE [org.jboss.security.SecurityAssociation] clear, server=true does this mean that the user has the "members" role? where would I add the "Users" role? the log also says "already authenticated". sorry for all the questions, I am new to JBoss. Claus View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4167934#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...