554 Authentication Token Error

The HTTP 554 Authentication Token Error status code is an unofficial server error specific to Akamai Enterprise Application Access (EAA), returned when the Kerberos token presented by the connector is not accepted by the origin application.

Table of Contents

Usage

Akamai EAA returns 554 when the connector successfully obtains a Kerberos service ticket from the Key Distribution Center (KDC) but the origin application rejects the token. The connector presents the ticket in a Negotiate header as part of SPNEGO authentication, and the application server responds with a rejection.

This differs from 553 Directory Service Error, where the ticket request itself fails at the KDC. With 554, the ticket is issued but the application does not accept the ticket.

Common causes include:

  • The SPN in the Kerberos ticket does not match the SPN the application expects.
  • The application's service account keytab is out of sync with Active Directory (e.g., after a password rotation).
  • The Kerberos ticket was issued for a different service principal than the one configured on the application server.
  • Kerberos authentication is selected in the EAA application configuration but the origin server does not have Kerberos enabled.

SEO impact

Search engines treat 554 responses as server errors. Persistent errors cause crawlers to reduce crawl frequency and eventually drop affected URLs from the index.

Example

A client accesses a Kerberized application through EAA. The connector obtains a Kerberos ticket but the origin application rejects the token.

Request

GET /erp/main HTTP/1.1
Host: erp.example.re
Cookie: akamai_eaa_session=eyJhbGciOiJSUzI1...

Response

HTTP/1.1 554 Authentication Token Error
Content-Type: text/html
X-Akamai-Error-Code: 554

<html>
<head>
<title>Authentication Token Error</title>
</head>
<body>
<h1>554 Authentication Token Error</h1>
<p>The Kerberos token is not accepted by the
application.</p>
</body>
</html>

How to fix

Verify the SPN configured in EAA matches the SPN registered on the origin application server. The SPN the connector uses to request the ticket must be identical to what the application server expects to receive.

Check the application server's keytab file. After a service account password rotation in Active Directory, regenerate and deploy a new keytab:

ktpass -princ HTTP/erp.example.re@DOMAIN.COM \
  -mapuser svc_erp@DOMAIN.COM \
  -pass * -crypto AES256-SHA1 \
  -ptype KRB5_NT_PRINCIPAL \
  -out erp.keytab

Confirm Kerberos is enabled on the origin application server. IIS applications require Windows Authentication with Negotiate enabled. Apache applications require mod_auth_kerb or mod_auth_gssapi configured with the correct keytab path.

Test the Kerberos flow independently from the connector by authenticating directly against the application from a domain-joined machine:

curl --negotiate -u : http://erp.example.re/erp

If direct Kerberos authentication succeeds but EAA returns 554, the EAA SPN configuration is the likely cause.

Review the connector error logs for the specific Kerberos rejection reason. The AP_REP error message from the application server identifies whether the rejection is due to an SPN mismatch, expired ticket, or unsupported encryption type.

Takeaway

The 554 Authentication Token Error status code is an unofficial server error specific to Akamai EAA, returned when the origin application rejects the Kerberos token presented by the connector. The fix typically involves aligning the SPN configuration between EAA and the application server and ensuring the keytab is current.

See also

Last updated: March 6, 2026