To harden Kerberos against replay-attacks, several messages passed between Kerberos, user and service use (encrypted) timestamps wich are compared to the system clock, so as another means to avoid failure make sure the clocks of the system show the same time (usually within 5 minutes of tolerance).
To allow for an overlap of two keys in the period of a workstation (or user) key renewal, Kerberos can store multiple keys in its database and enumerates these with a "key vector number", kvno. These kvnos are includes in tickets and keytabs and the kvno-key pair must match a valid combination for the key exchange to work.
 
Since the keytab file is very security-sensitive, it shoud only be readable by the user account used by the webserver. This account needs access to the file, of course (else a http 500 error is encountered)