Looking at your configuration I don't see anything that jumps out at me as being wrong. The error message that you have shown is something that is coming back from Active Directory, I have found the following page that contains some information on how to obtain further logging from Active Directory to start to diagnose why a request is failing. http://support.microsoft.com/default.aspx?scid=kb;en-us;314980&sd=tech We can see from your logs that your host security domain is able to successfully authenticate using the keytab so I don't suspect a problem there. If possible do you have anything like Wireshark available to trace the network traffic between Server1 and Server2, one possible area to configure is that it may be a problem with the "java.naming.provider.url" - is this exactly the same name that you used to specify the KDC? If not it is possible that is it a case-sensitive comparison which is making the "java.naming.provider.url" look as though it is not trusted so the GSSAPI mechanism is not being used. Traces from Wireshark should show additional Kerberos requests that may illustrate if this is the problem. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4206929#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...