555 Application Does Not Support Kerberos
The HTTP 555 Application Does Not Support Kerberos
status code is an unofficial server error specific to
Akamai Enterprise Application Access (EAA). The EAA
connector returns this code when the backend
application's 401 Unauthorized challenge does
not include a Negotiate option, indicating the
application does not support Kerberos
Authentication.
Usage
Akamai EAA provides zero-trust network access by
proxying requests through connectors sitting between
end users and backend applications. When an application
is configured for Kerberos single sign-on (SSO), the
connector expects the backend to issue a
401 Unauthorized response with a
WWW-Authenticate: Negotiate header during the
authentication handshake.
The 555 error appears when the connector receives
a 401 challenge lacking the Negotiate scheme.
Without the Negotiate option, the connector has no
way to complete the Kerberos authentication flow on
behalf of the user.
This typically means Kerberos authentication is disabled on the backend application server, or the application uses a different authentication scheme (NTLM-only, Basic, or form-based) incompatible with Kerberos constrained delegation.
SEO impact
Search engines treat 555 responses as server errors. Persistent errors cause crawlers to reduce crawl frequency and eventually drop affected URLs from the index.
Example
A client requests a Kerberized application through
Akamai EAA. The connector contacts the backend,
receives a 401 challenge without the Negotiate
scheme, and returns a 555 to the client.
Request
GET /intranet/dashboard HTTP/1.1
Host: app.example.re
Accept: text/html
Response
HTTP/1.1 555 Application Does Not Support Kerberos
Date: Mon, 02 Mar 2026 14:20:00 GMT
Content-Type: text/html
<html>
<head><title>555 Error</title></head>
<body>
<h1>Application Does Not Support Kerberos</h1>
<p>No negotiate option found in 401 challenge</p>
</body>
</html>
How to fix
Enable Kerberos authentication on the backend
application server. For IIS-based applications, open
IIS Manager, select the application, navigate to
Authentication, and enable Windows Authentication with
the Negotiate provider listed first. For Apache with
mod_auth_kerb, add AuthType Kerberos to the
relevant <Location> block and enable the
Negotiate method with KrbMethodNegotiate On.
Verify the Service Principal Name (SPN) is registered
correctly in Active Directory. The SPN must match the
service account used by the EAA connector. Run
setspn -L <service_account> on the domain controller
to confirm the SPN entries.
If the backend application does not support Kerberos and switching authentication methods is not feasible, change the EAA application configuration to use a different SSO mechanism. NTLM, SAML, or header-based authentication are alternatives available in the EAA application settings.
Confirm the connector has network access to the backend on the correct port. A firewall blocking the connector from reaching the application causes the connector to receive no 401 challenge at all, which produces a different error (552 Application Unreachable).
Takeaway
The 555 Application Does Not Support Kerberos
status code is an Akamai EAA error indicating the
backend application's 401 challenge lacks a
Negotiate option. Enabling Kerberos on the
application server or switching the EAA application
to a compatible SSO method resolves the issue.
See also
- Akamai EAA Application Response Codes
- Google: HTTP status codes and network errors
- Kerberos Constrained Delegation in EAA
- 401
- Authentication
- HTTP status codes