On Fri, Mar 11, 2011 at 3:50 PM, Dvorkin, Asya <dvorkias at umdnj.edu> wrote: > [root at myserver conf]# klist -k > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > ---- -------------------------------------------------------------------------- > 2 host/myserver.server.com at CORE.HOST.EDU > 2 host/rmyserver.server.com at CORE.HOST.EDU > 2 host/myserver.server.com at CORE.HOST.EDU > 2 host/myserver at CORE.HOST.EDU > 2 host/myserver at CORE.HOST.EDU > 2 host/myserver at CORE.HOST.EDU > 2 MYSERVER$@CORE.HOST.EDU > 2 MYSERVER$@CORE.HOST.EDU > 2 MYSERVER$@CORE.HOST.EDU > 2 http/myserver.server.com at CORE.HOST.EDU > 2 http/myserver.server.com at CORE.HOST.EDU > 2 http/myserver.server.com at CORE.HOSTEDU > 2 http/myserver at CORE.HOST.EDU > 2 http/myserver at CORE.HOST.EDU > 2 http/myserver at CORE.HOST.EDU > > My problem is that I am getting an error message in apache logs: > > gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (No principal in keytab matches desired name) > > I looked in AD configuration and see that my server does not have appropriate ServicePrincipalName for HTTP (only host). Hi Asya, You must set the servicePrincipalName attribute on the service account (MYSERVER$ in this case) to include all of the hostnames that will be used to access the web server which in this case would be at least "HTTP/myserver.server.com". One way to do this would be to use setspn.exe on a Windows client but if you really have no access to the Windows side as you say, you could use the Samba keytab to acquire credentials for doing the necessary LDAP add operation using some tool (maybe there is a Samba utility for this, I don't know) or program. Mike -- Michael B Allen Java Active Directory Integration http://www.ioplex.com/