> BTW Why do you want to reset the account in AD ? I don't see any reason. I work with some Engineers that won't have a clue about how the proxy integrates in AD and although unlikely, if they do reset the <fqdn>-http account for any reason msktutil --auto-update will not automatically resolve the issue and I will have to manually kinit administrator and then run msktutil --auto-update to resolve it. If I am not available this will be a problem. I can document what to do (which is not hard) but frankly I do not have enough confidence they would follow the instructions... sad I know. from --auto-update in the msktutil man page: ...Will also update if the keytab failed to authenticate but the default password did work. (e.g. after resetting the account in AD)... This works with the <fqdn> but fails when using <fqdn>-http. So although minor, it looks like a possible bug in msktutil, but I am not sure. I understand the point of having 2 different accounts in AD (thanks for that) and will just use <fqdn>-http for kerberos and advise the guys to never reset the account and hope they remember. Thank you for your time with this Markus, I appreciate it. James
