As a first step on the way to successful negotiation, the Kerberos database and your system need to share a key (Workstation key, WS-key)to encrypt authentication information for the transport. Windows workstations generate this key during the "join" process to Active Directory. Linux machines can use samba utilities and configuration files to accomplish this. If you have administrative access to a Windows system, you can use the "ktpass" utilitiy to generate and export this key on the Windows command line. Since Samba doesn't require access to a Windows command line and automatically sets some parameters correct, Samba is recommended and used in further examples.

To identify the Linux system for the Kerberos Database and the user of the Apache services, the correct name enties for different configurations must match. This is -except for the key handling- the main cause of failures for Kerberos negotiation.
Kerberos negotiation is accomplished by passing around encrypted tickets between the Kerberos service, the user and Apache. These tickets have to be encrypted with the appropriate key for the intended receiver, else decryption of the information contained in the ticket and thus negotiation fails.

Before the user can access kerberized services, the user has to authenticate against the Kerberos service snd receives the "ticket granting ticket" for his "user principal name", UPN.
Apache web services do not directly login to the kerberos service, so the "user principal name" is not really needed. However, to test Kerberos ticket creation for the Linux sytem, setting of a UPN for the system account is recommended. The Samba "net ads join" command can set the UPN entry with the "createupn=HTTP/fqdn@REALM" parameter. Correct settings for the fqdn depend on some DNS entries (explained later), the REALM must match the realm configured in the Kerberos service and /etc/samba/smb.conf. Remember to use upcase letters for the realm. In Active Directory environments, the realm name is the DNS name of the AD domain (again: use UPPER CASE!).

When the user wants to log in to a kerberized service, the DNS name of the service must be determined. If the DNS entry for the host to be accessed is a normal host (A) record, this fqdn (complete DNS name including all domains) is used in the ticket request. If the DNS entry is a CNAME which points to another hostname, the user's workstation (at least Windows) does not use the CNAME but the canonical name reportet from the DNS server. For this reason the canonicalized DNS name has to be used in some configuration steps.
For an easier flow of text, I will use "canonical-fqdn" throughout this document.

The correct command to create the Kerberos account and key for the Apache server is:

net ads join -U username createupn=HTTP/canonical-fqdn@REALM

(set username, canonical-fqdn and REALM according to your environment, and you should be prompted for the user's password.)

The user must have permissions to create a computer account in the Kerberos database.
In Windows environments, workstations update the workstation key regularly. The AD service doesn't enforce the key renewal at any interval, this process is completely driven by the workstation. So if your Linux system never changes the key used, it will continue to work permanently.