GSS-API error gss_accept_sec_context: Request ticket server HTTP/ not found in keytab

Greg Hudson ghudson at
Fri Nov 11 13:44:54 EST 2022

On 11/11/22 10:33, Kerberos Enthusiast wrote:
> It seems, if multiple servers supply separate keytabs, then the
> subsequent kerberos auth request targeted for multiple kerberos servers
> with separate keytabs and application keep on
> updating "default_keytab_name" global variable and it causes some of the
> authentication requests to fail and it throws this error

There is no global variable named default_keytab_name in MIT krb5. 
There is a krb5.conf configuration variable with this name, but it is 
never changed by the GSS or Kerberos libraries.

> *"GSS-API error gss_accept_sec_context: Request ticket server HTTP/ not
> found in keytab" *(major code - 186a5, d0000)

This message is a little bit puzzling, because the principal name 
("HTTP/") is incomplete, and because the message of this form in the 
code includes a parenthetical about the ticket kvno.

> Using this api *krb5_gss_register_acceptor_identity() *to set the default
> keytab file for kerberos authentication.

This function sets a thread-specific global variable.  It should work to 
invoke it before each call to gss_acquire_cred(), or before each call to 
gss_accept_sec_context() using the default acceptor credential.  Or:

> Can we use any other gss_api to maintain the local context of the keytab
> file and send this keytab for every authentication request?

gss_acquire_cred_from() allows the caller to specify a keytab name when 
acquiring credentials.  See:

More information about the Kerberos mailing list