Thank you Dmitry My Keycloak realm is setup for LDAP/Kerberos authentication with a Windows Active Directory domain. So I am getting a delegated GSSCredential in my AccessToken when I access my Web App from a properly configured browser (SPNEGO) on a workstation in the Windows Active Directory Domain. If the browser is not configured for SPNEGO or the workstation is not a member of the Windows Active Directory Domain, The browser is redirected to the Keycloak log in page After entering a correct user and password, the browser is redirected back to the Web App. This step is what I need to successfully authenticate a Windows AD User ID/password combination and it works. My problem is there is no claim in the AccessToken for a GSSCredential. I have an absolute requirement for a GSSCredential for that Windows AD User ID/Password. The GSSCredential is to be used in the web app to connect to an IBM i (aka AS/400) for calling RPG and COBOL programs. The IBM i is Configured to accept the GSSCredential and it works when the workstation is a member of the Windows AD domain and the browser is configured for SPNEGO. Can Keycloak be configured to put a GSSCredential in the AccessToken when Keycloak authenticates the Windows AD User id/Password? If not, would it be a large effort to add a plugin that would put a GSSCredential in the AccessToken? -----Original Message----- From: Dmitry Telegin <dt(a)acutus.pro&gt; Sent: Monday, January 28, 2019 2:21 PM To: Chris Smith <chris.smith(a)cmfirstgroup.com>; keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] Get a GSSCredential when user browser is not in Active Directory domain Hello Chris, AFAIK GSSCredential is something very specific to Kerberos, so I'm not sure it's possible at all to obtain it outside of Kerberos context, like e.g. via pure LDAP authentication. Cheers, Dmitry On Mon, 2019-01-28 at 03:04 +0000, Chris Smith wrote: