There are three options how to select appropriate keytab element. Two of them are broken when IPv6 address is used: 1) Compare the host name against the host extracted from the request Hostname is not correctly extracted from http request for Kerberos authentication into Management Console for IPv6 address. For that reason in case when following keytab is set in server configuration, then it is never taken into account in org.jboss.as.domain.http.server.security.SpnegoAuthenticator: <keytab principal="HTTP/[2620:52:0:105f::ffff:1a]@JBOSS.ORG" path="${KEYTAB_PATH}"/> Take a look at getHostName method of SpnegoAuthenticator [1]. It expects only IPv4 address. There may be another places where only IPv4 is expected. 2) From for-host attribute It also is not taken into account when IPv6 address is set in for-hosts attribute: <keytab principal="HTTP/[2620:52:0:105f::ffff:1a]@JBOSS.ORG" path="${KEYTAB_PATH}" for-hosts="[2620:52:0:105f::ffff:1a]"/> Log output for this case: TRACE [org.jboss.as.domain.management.security] (HttpManagementService-threads - 1) No mapping for name 'HTTP/[2620' to KeytabService, attempting to use host only match. TRACE [org.jboss.as.domain.management.security] (HttpManagementService-threads - 1) No mapping for host '[2620' to KeytabService, attempting to use default. TRACE [org.jboss.as.domain.management.security] (HttpManagementService-threads - 1) No KeytabService available for host '[2620' unable to return SubjectIdentity. TRACE [org.jboss.as.domain.http.api] (HttpManagementService-threads - 1) No Subject available for host '[2620' 3) Set for-hosts to "*" It works fine when for-hosts attribute is set to "*". It means that Kerberos authentication into Management Console with IPv6 works, but selecting appropriate keytab element with IPv6 address is broken. [1] https://github.com/jbossas/jboss-eap/blob/6.x/domain-http/interface/src/main/java/org/jboss/as/domain/http/server/security/SpnegoAuthenticator.java#L183
John Doyle <jdoyle> updated the status of jira EAP6-253 to Closed
Created upstream issue.
Note that there is already test case for this. Can be run with following (replace node0 value with your own IPv6 address): cd testsuite/integration/manualmode mvn install -Dtest=KerberosHttpInterfaceTestCase -Dnode0=2620:52:0:2804:56ee:75ff:fe2d:980f -Dipv6
I'm not backporting to EAP, since there is no customer case.