We've found it necessary to have 7 variations of the principal name as Active Directory could issue a service ticket for any of them. If the host's FQDN is comp1.domain.com, the sAMAccountName is COMP1$ and the realm is REALM.COM, we store keytab entries for the following list of principals for each supported encryption type: COMP1$@REALM.COM host/COMP1@REALM.COM host/comp1@REALM.COM host/comp1.domain.com@REALM.COM host/COMP1.DOMAIN.COM@REALM.COM host/COMP1.domain.com@REALM.COM host/comp1.DOMAIN.COM@REALM.COM