Users are not authenticated automatically when accessing the mod_auth_vas secured site.
The browser is not configured to use Kerberos or "Windows Integrated Authentication":
The following error indicates that the browser sent an NTLM negotiate token:
vas_gss_spnego_accept: VAS_ERR_INTERNAL: First call to
gss_accept_sec_context() failed, minor_status = 0, result = 589824,
display_status = A token was invalid
If you are convinced that Kerberos tokens should be sent from the browser, you can confirm this by enabling 'LogLevel debug' in your httpd.conf file and then watch the logs. NTLM tokens sent from the browser will start with "TlRM" while GSSAPI (Kerberos) tokens will start with "YII":
The solution is to make your client use Kerberos (Windows Integrated Authentication). For Internet Explorer, go through the IE configuration instructions.
Pay attention to the section on configuring IE6 for Windows Integrated Authentication: