+ GssapiCredStore keytab:/etc/httpd.keytab
+ GssapiCredStore client_keytab:/etc/httpd.keytab
+ GssapiCredStore ccache:FILE:/var/run/httpd/krb5ccache
+ GssapiDelegCcacheDir /var/run/httpd/clientcaches
+
+**NOTE:** The client keytab is necessary to allow GSSAPI to initiate via keytab
+on its own. If not present an external mechanism needs to kinit with the
+keytab and store a ccache in the configured ccache file.
+
+
+### GssapiBasicAuth
+Allows the use of Basic Auth in conjunction with Negotiate.
+If the browser fails to use Negotiate is will instead fallback to Basic and
+the username and password will be used to try to acquire credentials in the
+module via GSSAPI. If credentials are acquire successfully then they are
+validated against the server's keytab.
+
+- **Enable with:** GssapiBasicAuth On
+- **Default:** GssapiBasicAuth Off
+
+#### Example
+ <Location /gssapi>
+ AuthType GSSAPI
+ AuthName "Login"
+ GssapiBasicAuth On
+ GssapiCredStore keytab:/etc/httpd/http.keytab
+ Require valid-user
+ </Location>
+
+
+### GssapiAllowedMech
+
+List of allowed mechanisms. This is useful to restrict the mechanism that
+can be used when credentials for multiple mechanisms are available.
+By default no mechanism is set, this means all locally available mechanisms
+are allowed. The recognized mechanism names are: krb5, iakerb, ntlmssp
+
+#### Example
+ GssapiAllowedMech krb5
+ GssapiAllowedMech ntlmssp
+
+
+### GssapiBasicAuthMech
+
+List of mechanisms against which Basic Auth is attempted. This is useful to
+restrict the mechanisms that can be used to attempt password auth.
+By default no mechanism is set, this means all locally available mechanisms
+are allowed, unless GssapiAllowedMech is set, in which case those are used.
+GssapiBasicAuthMech always takes precedence over GssapiAllowedMech.
+The recognized mechanism names are: krb5, iakerb, ntlmssp
+
+#### Example
+ GssapiBasicAuthMech krb5