[client nnn.nnn.nnn.nnn] Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration. src/mod_auth_kerb.c(1101): [client nnn.nnn.nnn.nnn] GSS-API major_status:00090000, minor_status:861b6d0c [client nnn.nnn.nnn.nnn] gss_accept_sec_context() failed: A token was invalid (, Unknown code)You have checked your IE (or Firefox) configuration and are pretty sure that the browser should be sending a Kerberos ticket instead of attempting NTLM authentication.
Solution: First apply some more diagnostics:
- Check if the command
kvno HTTP/your.server.com@YOURDOMAIN.COMgives you this message: "HTTP/your.server.com@YOURDOMAIN.COM: Server not found in Kerberos database while getting credentials". If yes, you likely have the problem described here.
- On the Windows AD server check the output of
setspn -l yourserver. Does it appear like so?
Registered ServicePrincipalNames for CN=yoursever,OU=Service Accounts,OU=Accounts,DC=yourdomain,DC=com: HTTP/your.server.com@YOURDOMAIN.COMIf yes, then you likely have the problem described here. The domain suffix highlighted in red should not appear in the command's output in a correct configuration.
setspn -d HTTP/your.server.com@YOURDOMAIN.COM yourserver setspn -A HTTP/your.server.com yourserver