Hi, I have successfully managed to get negotiation to work - gr8 docs. I have setup with AD running as KDC and use AdvancedLdapLoginModule to get user roles. As I can see, currently the principal that is passed to AdvancedLdapLoginModule is in the form username(a)REALM.NAME. In order for the role module to find user correctly I need to define some attribute to contain this info so the ldap search can find correct object (as in examples in userPrincipalName). Another option is (which worked for me) is to use mail attribute. I was wondering if there is any way to extract the actual user id from the principal so I could run the search against sAMAccountName rather than e-mail or manually edited attribute? By doing that I would like to limit the amount of work that administrator has to do by using some default behavior of AD. Any suggestions how to approach that? Thx, /p View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4178534#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...