When you extend your kerb.keytab to accept additional HTTP service names, you might get the following error in your Apache webserver logs:
gss_accept_sec_context() failed: Invalid token was supplied (, No error)
If you’re sure that everything is (should be) configured correctly and you cannot explain why it’s still not working …
… then WAIT.
It might be due to a delayed ActiveDirectory replication, caching, or something totally different. I haven’t digged into it, but it worked for me