True single-sign-on requires the Kerberos method "negotiate" to work. Here some more complex steps are needed to succeed.

1. Create an account in the Kerberos database
2. Create keytable files
3. Modify site configuration

Kerberos negotiation does not transmit authentication data or encryption keys between the Kerberos service, Apache and the client. Successful negotiation needs some prerequisites:
 

• proper DNS and IP configuration and connectivity
• correct use of the names of the Kerberos principals
• syncronization of clocks between all positions

I will try to explain the useof principal names and Kerberos communications derived from experiences in my test environment. If Kerberos behaves different in your environment, I would like to know to enhance this document.