The ticket needs to be forwardable. If it is, in firefox, you add your website to the trusted URIs for delegation ( in about:config). At this point, you should see "context.getDelegState()=true" in the logs. The missing bit in the jboss-negotiation project is to get the delegated credendentials and store them in the private credentials of the Subject in the SPNEGOLoginModule. It needs to be destroyed or cleared in the logout method. Then, you will need to manage yourself the kerberos ticket and implement yourself the WS-kerberos (if your webservice is using a HTTP binding, i suppose it would be easy to secure the webservice via spnego). Jboss does not implement these things for you so, you have to take care of the ticket renewal and propagation... View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4218072#... Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...