Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.427 (Entity 5.427) RT-Send-CC: X-RT-Original-Encoding: iso-8859-1 Content-Length: 730 The reason for not matching the name is to work with service aliases. See http://k5wiki.kerberos.org/wiki/Projects/Aliases, specifically the section "Server Principals". There was also some discussion of this on krbdev in December 2008 starting here: http://mailman.mit.edu/pipermail/krbdev/2008-December/007154.html The change being discussed there was to krb5_rd_req, and the change to krb5_server_decrypt_ticket_keytab didn't happen until it was necessary in order to make S4U testing with kvno work. But the reasoning is the same. I don't know the best resolution for your use case, because I'm not familiar enough with AD to underestand why you'd have multiple entries in a keytab for the same key with different names.