in server/default/deployers/jbossweb.deployer/META-INF/war-deployers-jboss-beans.xml there is declaration of new authenticator in "authenticators" configuration: <entry> <key>SECURITY_DOMAIN</key <value>org.picketlink.identity.federation.bindings.tomcat.PicketLinkAuthenticator</value> </entry> Problem is that this authenticator is not available in EAP classpath by default. It's available in EAP in attached picketlink component under $EAP_HOME/picketlink/picketlink-federation/picketlink-core-2.0.2.jar, but this JAR is not in EAP classpath by default. So it seems that PicketLinkAuthenticator should be commented by default and EAP users can uncomment only in case when they want to use picketlink and add picketlink JAR into classpath. The main problem with current configuration in EAP 5.1.2-GA is, that if user adds another authenticator into the end of the authenticators chain - like SPNEGO authenticator for instance: <entry> <key>SPNEGO</key> <value>org.jboss.security.negotiation.NegotiationAuthenticator</value> </entry> then the server startup ends with the confusing error message: ERROR [ContextConfig] Cannot configure an authenticator for method SPNEGO which is actually not caused by SPNEGO itself but it's caused by the fact that previous authenticator (PicketLinkAuthenticator) is not in classpath.