555 Application Does Not Support Kerberos
Backend applications lacking a Negotiate option in
the 401 Unauthorized challenge cause the
Akamai EAA connector to return
555 Application Does Not Support Kerberos.
Usage
Akamai EAA provides zero-trust network access by
proxying requests through connectors sitting between
end users and backend applications. When an application
is configured for Kerberos single sign-on (SSO), the
connector expects the backend to issue a
401 Unauthorized response with a
WWW-Authenticate: Negotiate header during the
authentication handshake.
The 555 error appears when the connector receives
a 401 challenge lacking the Negotiate scheme.
Without the Negotiate option, the connector has no
way to complete the Kerberos authentication flow on
behalf of the user.
This typically means Kerberos authentication is disabled on the backend application server, or the application uses a different authentication scheme (NTLM-only, Basic, or form-based) incompatible with Kerberos constrained delegation.
SEO impact
Search engines treat 555 responses as server errors. Persistent errors cause crawlers to reduce crawl frequency and eventually drop affected URLs from the index.
Example
A client requests a Kerberized application through
Akamai EAA. The connector contacts the backend,
receives a 401 challenge without the Negotiate
scheme, and returns a 555 to the client.
Request
GET /intranet/dashboard HTTP/1.1
Host: app.example.re
Accept: text/html
Response
HTTP/1.1 555 Application Does Not Support Kerberos
Date: Mon, 02 Mar 2026 14:20:00 GMT
Content-Type: text/html
<html>
<head><title>555 Error</title></head>
<body>
<h1>Application Does Not Support Kerberos</h1>
<p>No negotiate option found in 401 challenge</p>
</body>
</html>
How to fix
Enable Kerberos authentication on the backend
application server. For IIS-based applications, open
IIS Manager, select the application, navigate to
Authentication, and enable Windows Authentication with
the Negotiate provider listed first. For Apache with
mod_auth_kerb, add AuthType Kerberos to the
relevant <Location> block and enable the
Negotiate method with KrbMethodNegotiate On.
Verify the Service Principal Name (SPN) is registered
correctly in Active Directory. The SPN must match the
service account used by the EAA connector. Run
setspn -L <service_account> on the domain controller
to confirm the SPN entries.
If the backend application does not support Kerberos and switching authentication methods is not feasible, change the EAA application configuration to use a different SSO mechanism. NTLM, SAML, or header-based authentication are alternatives available in the EAA application settings.
Confirm the connector has network access to the backend on the correct port. A firewall blocking the connector from reaching the application causes the connector to receive no 401 challenge at all, which produces a different error (552 Application Unreachable).
See also
- Akamai EAA Application Response Codes
- Google: HTTP status codes and network errors
- Kerberos Constrained Delegation in EAA
- 401
- Authentication
- HTTP status codes