Kerberos Auth with JAAS and Multiple Areas

It is possible. For example, you can have each configuration in separate files, and then at the beginning of each attempt to transfer Java paths to the krb5.ini and login.conf files:

 boolean loginSuccess = false; try { System.setProperty("java.security.krb5.conf", "C:\kerb\conf1\krb5.ini"); System.setProperty("java.security.auth.login.config", "C:\kerb\conf1\login.conf"); // in login.conf you can have defined path to keytab for this configuration LoginContext lc = new LoginContext(...); //Try Realm 1 lc.login(); loginSuccess = true; } catch(LoginException le) { try { System.setProperty("java.security.krb5.conf", "C:\kerb\conf2\krb5.ini"); System.setProperty("java.security.auth.login.config", "C:\kerb\conf2\login.conf"); // in login.conf you can have defined path to keytab for this configuration LoginContext lc2 = new LoginContext(...); //Try Realm 2 lc2.login(); loginSuccess = true; } catch(LoginException le) { //... } } return loginSuccess; 

These two system properties are described here: http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/LoginConfigFile.html and http://docs.oracle.com/javase/7 /docs/technotes/guides/security/jgss/tutorials/KerberosReq.html

Another option might be fileless configuration. There is a LoginContext constructor that accepts a CallbackHandler (here you pass the username and password) and Configuration (here you pass the parameters that you have in login.conf). Kdc and scope can be transferred in the system properties java.security.krb5.realm and java.security.krb5.kdc

http://docs.oracle.com/javase/8/docs/api/javax/security/auth/login/LoginContext.html#LoginContext-java.lang.String-javax.security.auth.Subject-javax.security. auth.callback.CallbackHandler-javax.security.auth.login.Configuration-