Hi Lars, Disclaiming any experience with AD; but this sounds like the domain join might have replaced the keytab that held the old service ticket, or perhaps it is now unreachable because AD has renamed the realm.
SASL traces should be visible, at least if you’re not running inside TLS, which is not necessary for GSS-API (but it is for data privacy since SASL apps usually don’t use the C_Wrap() facilities). I hope this helps! -Rick ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
