Symptom:

XP client accessing a Web page (http or https) located on a Unix/Linux server configured with Centrify and Apache (with mod_auth_kerb) module

the Windows user is prompted to enter credentials ( on IE or other browser)

Analysis:

On Unix server side ( with Apache), configured with Kerberos / centrify direct control client, the Apache logs shows “KDC reply did not match expectation while getting initial credential

The client computer and the linux server are on a Windows domain A (mydoma.dom.local)

The user accessing the web site is member of a Windows domain B (mydomb.dom.local)

Domain A and Domain B are from two different forests (with different functional levels) with two-way trust wel configured

The Apache server has also spn well configured on Windows domain A (cf setspn or centrify cdc agent install)

Solution:

We suppose here that IE or Firefox are well configured to works with kerberos

We suppose also that the Apache Linux server is member of a Windows domain (thanks to Centrify !)

In unix/linux with /etc/krb5.conf or with apache httpd.conf, the kerberos directives on apache  should contain

AuthRealms MYDOMA.DOM.LOCAL MYDOMB.DOM.LOCAL

Support KB article: Kerberos protocol registry entries and KDC configuration keys in Windows: http://support.microsoft.com/default.aspx?scid=kb;EN-US;837361

To try to solve this issue, use first Netmon and make a network capture: install Netmon v3.4 on a computer impacted please: http://www.microsoft.com/en-gb/download/details.aspx?id=4865

Start the capture,       
From a XP command prompt : « runas /profile /user:mydomb\user1 cmd.exe » , Stop the capture, Save in a .cap format, Open the .cap and go to the menu, filter, display filter, load filters, default filters, authentication traffic  in order to display the KerberosV5 protocol.

What is important  to check, RequestOptions registry key on faulty computer:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;837361 – Kerberos protocol registry entries and KDC configuration keys in Windows Server 2003
Entry: RequestOptions
Type: REG_DWORD
Default Value: Any RFC 1510 value
This value indicates whether there are additional options that must be sent as KDC options in Ticket Granting Service requests (TGS_REQ). If UAC is enabled « userAccountControl » à « USER_USE_DES_KEY_ONLY » (0x00008000) and the Network trace.