I have to say so far this is not a scenario that I have worked with yet, most of my MIT KDC testing was using FreeIPA and only Linux server and client so I have not yet tried a Windows client with a Linux/MIT KDC. So far from experience the easiest way to analyse this further would be to use a tool like wireshark to monitor the network traffic between the Windows machine and the Linux/MIT KDC. At the point the web browser decides if it should trust the server it will send a TGS-REQ packet to the KDC and will trust the server if it gets a valid TGS-REP in response - using wireshark will let you double check what is being requested and what any failure message says. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4211105#... Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...