Defective token detected - IWA with SPNEGO on tomcat

I'm trying to setup SPNEGO r7 with Tomcat 7.0.54, but when calling request.getRemoteUser()

from a jsp, I get the error below:

SEVERE: Servlet.service() for servlet [ssoServlet] in context with path [/rightitnow] threw exception [GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)] with root cause
GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
        at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
        at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:871)
        at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:544)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
        at net.sourceforge.spnego.SpnegoAuthenticator.doSpnegoAuth(SpnegoAuthenticator.java:444)
        at net.sourceforge.spnego.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:283)
        at net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:229)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at com.rivermuse.server.filter.GWTCacheControlFilter.doFilter(GWTCacheControlFilter.java:43)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040)
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
        at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:745)

I've seen the posts here http://sourceforge.net/p/spnego/discussion/1003769/thread/990913cc/ "Defective token detected" error (NTLM not Kerberos) with Kerberos/Spring Security/IE/Active Directory

but I still can't figure out what the problem is.

Tomcat is running on Ubuntu 12.04 LTS, I've used domainjoin-cli to add it to the windows domain. I've tested from different clients (Firefox / IE / Chrome) on diff OSes (Windows XP, 7, 2008 Server, MacOS) and the results are different on each combination, where some combinations give the error above, other combinations give no warning at all, but still fail to getRemoteUser().

Performing the pre-flight checks in http://spnego.sourceforge.net/pre_flight.html , I'm able to run the HelloKDC successfully.

I've made sure that IE had the IWA enabled and that the server beer.test.co.uk was in the local intranet site list and added it to network.negotiate-auth.trusted-uris in firefox.

I've checked forward / reverse DNS as recommended by one post about this issue na I've got the following:

rabbit-stew:logs $ host beer.test.co.uk
beer.test.co.uk is an alias for beer.uk.river.com.
beer.uk.river.com has address 192.168.12.236
rabbit-stew:logs $ host 192.168.12.236
236.12.168.192.in-addr.arpa domain name pointer beer.uk.river.com.

dev@beer:~/deploy/conf$ cat jaas.conf 
com.sun.security.jgss.krb5.initiate {
    com.sun.security.auth.module.Krb5LoginModule required
    doNotPrompt=true
    principal="HTTP/[email protected]"
    useKeyTab=true
    keyTab="/home/dev/deploy/conf/tomcat.keytab"
    storeKey=true;
};

com.sun.security.jgss.krb5.accept {
    com.sun.security.auth.module.Krb5LoginModule required
    doNotPrompt=true
    principal="HTTP/[email protected]"
    useKeyTab=true
    keyTab="/home/dev/deploy/conf/tomcat.keytab"
    storeKey=true;
};

dev@beer:~/deploy/conf$ cat krb5.ini 
[libdefaults]
default_realm = TEST.CO.UK
default_keytab_name = FILE:/home/dev/deploy/conf/tomcat.keytab
default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
forwardable=true

[realms]
TEST.CO.UK = {
        kdc = vs5gen2.test.co.uk:88
}

[domain_realm]
test.co.uk= TEST.CO.UK
.test.co.uk= TEST.CO.UK

dev@beer:~/deploy/conf$ cat login.conf 
spnego-client {
    com.sun.security.auth.module.Krb5LoginModule required;
};

spnego-server {
    com.sun.security.auth.module.Krb5LoginModule required
    storeKey=true
    isInitiator=false;
};

What baffles me the most is that when I run the same code on my Mac, I'm able to the SSO to work.

Edit: Fixed the problem by adding an DNS A record instead of an alias + getting a manual Kerberos ticket on my mac using kinit.