553 Directory Service Error
The HTTP 553 Directory Service Error status code is an unofficial server error specific to Akamai Enterprise Application Access (EAA), returned when a directory service error occurs during Kerberos Authentication.
Usage
Akamai EAA returns 553 when the connector attempts Kerberos authentication against the origin application and the underlying directory service (typically Active Directory) returns an error. This covers multiple Kerberos steps: fetching a Ticket Granting Ticket (TGT), performing constrained delegation, and fetching a service ticket. The Key Distribution Center (KDC) rejects or fails to process the request at any of these stages.
Common causes include:
- The Service Principal Name (SPN) configured in EAA does not match the SPN registered in Active Directory.
- The KDC is reachable but returns an error due to a misconfigured service account, expired credentials, or a duplicate SPN.
- Clock skew between the connector and the KDC exceeds the Kerberos tolerance (default five minutes), causing ticket requests to fail.
- The connector's machine account lacks delegation privileges required for constrained delegation.
The error surfaces after user authentication succeeds at the IdP level. The failure happens during the second authentication hop, from the connector to the origin application using Kerberos.
SEO impact
Search engines treat 553 responses as server errors. Persistent errors cause crawlers to reduce crawl frequency and eventually drop affected URLs from the index.
Example
A client accesses a Kerberized intranet application through EAA. The IdP authenticates the user, but the connector fails to obtain a Kerberos ticket from Active Directory.
Request
GET /intranet/home HTTP/1.1
Host: intranet.example.re
Cookie: akamai_eaa_session=eyJhbGciOiJSUzI1...
Response
HTTP/1.1 553 Directory Service Error
Content-Type: text/html
X-Akamai-Error-Code: 553
<html>
<head>
<title>Directory Service Error</title>
</head>
<body>
<h1>553 Directory Service Error</h1>
<p>A directory service error occurred during
Kerberos authentication.</p>
</body>
</html>
How to fix
Verify the SPN configured in the EAA application matches the SPN registered in Active Directory. List SPNs for the service account:
setspn -L service_account_name
The SPN format must match
HTTP/hostname.domain.com exactly. Duplicate SPNs
in the domain cause ambiguous lookups and trigger
553. Search for duplicates:
setspn -X
Check clock synchronization between the connector and the domain controller. Kerberos authentication fails when clock skew exceeds five minutes. Configure NTP on the connector to sync with the same time source as the domain controllers.
Confirm the EAA service account has the correct delegation settings in Active Directory. For constrained delegation, the account must be trusted for delegation to the specific SPN of the target service.
Review the connector error logs in the EAA
management portal for the specific Kerberos error
code (e.g., KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN or
KRB5KRB_AP_ERR_SKEW). The error code identifies
the exact failure.
Verify LDAP and Kerberos ports (88 TCP/UDP, 389 TCP, 636 TCP) are open between the connector and the domain controllers. A partial firewall block on port 88 causes intermittent 553 responses.
Takeaway
The 553 Directory Service Error status code is an unofficial server error specific to Akamai EAA, returned when Kerberos authentication fails at the directory service level. The most common fixes involve correcting the SPN configuration, resolving clock skew, and verifying connector-to-KDC connectivity.
See also
- Akamai EAA Response Codes
- Google: HTTP status codes and network errors
- 401 Unauthorized
- 554 Authentication Token Error
- HTTP status codes