For SSO in Windows Server 2008 we would like to use Kerberos so the user does not have to type in his/her username/password again for our application. Further we need the users roles/groups from Active Directory to restrict access to our application. The solution I tried was to combine Krb5LoginModule with LdapExtLoginModule, but they do not work together in my case. If I use the Krb5LoginModule I can use SSO, if I use the LdapExtLoginModule I can retrieve the roles after entering my username/password again. But combining them for SSO and roles does not work. If my research is correct than the problem is that the Krb5LoginModule returns a user of the form "username@domain" while the LdapExtLoginModule expects just "username". But I could not find a solution for that. Is there a solution for this problem, or is there perhaps another LoginModule that could be used? The code we are using is the following: | <application-policy name="kerberos"> | <authentication> | | <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required" > | <module-option name="debug">true</module-option> | <module-option name="storeKey">true</module-option> | <module-option name="storePass">true</module-option> | </login-module> | | | <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" > | <module-option name="debug">true</module-option> | <module-option name="java.naming.provider.url">ldap://$ip$:389</module-option> | <module-option name="bindDN">cn=$Username$, cn=Users, dc=$domain$, dc=$domainextension$</module-option> | <module-option name="bindCredential">$password$</module-option> | <module-option name="baseCtxDN">cn=Users,dc=$domain$,dc=$domainextension$</module-option> | <module-option name="baseFilter">(sAMAccountName={0})</module-option> | <module-option name="rolesCtxDN">cn=Users,dc=$domain$,dc=$domainextension$</module-option> | <module-option name="roleFilter">(sAMAccountName={0})</module-option> | <module-option name="roleAttributeID">memberOf</module-option> | <module-option name="roleAttributeIsDN">true</module-option> | <module-option name="roleNameAttributeID">cn</module-option> | <module-option name="searchScope">ONELEVEL_SCOPE</module-option> | <module-option name="allowEmptyPasswords">false</module-option> | </login-module> | | </authentication> | </application-policy> | | View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4268266#... Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...