Version 12

    JBoss Negotiation




    The JBoss Negotiation project provides a Tomcat authenticator and JAAS login module to add SPNEGO support to JBoss.


    This project is a component of the JBoss Security and Identity Management Project.


    GA release:

    (Includes code and user guide).




    PicketBox Downloads.





    For assistance using the authenticator please use the Security & JAAS/JBoss user forum.


    For development discussions please use the Design of Security on JBoss forum.


    Bugs and Features


    Bugs and feature requests can be raised within the SECURITY project in Jira, please set the component to 'Negotiation'.




    The source for the authenticator and the documentation is held within subversion at the following locations: -



    Additional Documentation


    If you have any additional information you feel should be included in the documentation please feel free to add it here so it can be included in a subsequent release.


    The following article contains the steps required on an all Windows domain: -





    Typical use case described in the diagram.

    • Users logs into his desktop (Such as a Windows machine). The desktop login is governed by Active Directory domain.
    • User then uses his browser (IE/Firefox) to access a web application (that uses JBoss Negotiation) hosted on JBoss AS or JBoss EAP.
    • The Browser transfers the desktop sign on information to the web application.
    • JBoss EAP/AS uses background GSS messages with the Active Directory (or any Kerberos Server) to validate the user.
    • The User has seamless SSO into the web application.


    Integration Material for other Projects/Products at JBoss:

    GateIn Integration with JBoss Negotiation

    Note:  If you want UNIX integration, then please look in the GateIn link above. (<= LINUX/UNIX)


    Old SPNEGO/Kerberos Documentation


    The old page discussing SPNEGO authentication can still be found at NegotiateKerberos.



    * "[SPNEGOLoginModule] Unsupported negotiation mechanism 'NTLM'."

    Basically the browser is falling back to deprecated NTLM mechanism and not the recommended SPNEGO mechanism.




    JBossAS7/WildFly/EAP6 Kerberos : Look for NegotiationAuthenticatorValve