diff --git a/squid-3.4.2-brokenad.patch b/squid-3.4.2-brokenad.patch
new file mode 100644
index 0000000..c3b0105
--- /dev/null
+++ b/squid-3.4.2-brokenad.patch
@@ -0,0 +1,106 @@
+Index: helpers/external_acl/kerberos_ldap_group/support_krb5.cc
+===================================================================
+--- helpers/external_acl/kerberos_ldap_group/support_krb5.cc.orig	2013-12-30 12:33:27.000000000 +0100
++++ helpers/external_acl/kerberos_ldap_group/support_krb5.cc	2014-03-15 00:41:12.581050607 +0100
+@@ -52,7 +52,7 @@ krb5_cleanup()
+  * create Kerberos memory cache
+  */
+ int
+-krb5_create_cache(char *domain)
++krb5_create_cache(struct main_args *margs, char *domain)
+ {
+ 
+     krb5_keytab keytab = 0;
+@@ -130,8 +130,17 @@ krb5_create_cache(char *domain)
+             if (code) {
+                 error((char *) "%s| %s: ERROR: Error while unparsing principal name : %s\n", LogTime(), PROGRAM, error_message(code));
+             } else {
+-                debug((char *) "%s| %s: DEBUG: Found principal name: %s\n", LogTime(), PROGRAM, principal_name);
+-                found = 1;
++		if (margs->brokenad == 1) {
++                    if (!strncmp(principal_name,"HTTP/",strlen("HTTP/"))==0){
++                        debug((char *) "%s| %s: DEBUG: Found principal without 'HTTP/' service name: %s NOT USING IT\n", LogTime(), PROGRAM, principal_name);
++                    } else {
++                        debug((char *) "%s| %s: DEBUG: Found principal with 'HTTP/' service name: %s\n", LogTime(), PROGRAM, principal_name);
++                        found = 1;
++                    }
++                } else {
++                    debug((char *) "%s| %s: DEBUG: Found principal  name: %s\n", LogTime(), PROGRAM, principal_name);
++                    found = 1;
++                }
+             }
+         }
+ #if defined(HAVE_HEIMDAL_KERBEROS) || ( defined(HAVE_KRB5_KT_FREE_ENTRY) && HAVE_DECL_KRB5_KT_FREE_ENTRY==1)
+Index: helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc
+===================================================================
+--- helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc.orig	2013-12-30 12:33:27.000000000 +0100
++++ helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc	2014-03-15 00:39:14.653271451 +0100
+@@ -57,6 +57,7 @@ init_args(struct main_args *margs)
+     margs->rc_allow = 0;
+     margs->AD = 0;
+     margs->mdepth = 5;
++    margs->brokenad = 0;
+     margs->ddomain = NULL;
+     margs->groups = NULL;
+     margs->ndoms = NULL;
+@@ -176,7 +177,7 @@ main(int argc, char *const argv[])
+ 
+     init_args(&margs);
+ 
+-    while (-1 != (opt = getopt(argc, argv, "diasg:D:N:S:u:U:t:T:p:l:b:m:h"))) {
++    while (-1 != (opt = getopt(argc, argv, "diasxg:D:N:S:u:U:t:T:p:l:b:m:h"))) {
+         switch (opt) {
+         case 'd':
+             debug_enabled = 1;
+@@ -228,6 +229,9 @@ main(int argc, char *const argv[])
+         case 'S':
+             margs.llist = xstrdup(optarg);
+             break;
++        case 'x':
++            margs.brokenad = 1;
++            break;
+         case 'h':
+             fprintf(stderr, "Usage: \n");
+             fprintf(stderr, "squid_kerb_ldap [-d] [-i] -g group list [-D domain] [-N netbios domain map] [-s] [-u ldap user] [-p ldap user password] [-l ldap url] [-b ldap bind path] [-a] [-m max depth] [-h]\n");
+@@ -244,6 +248,7 @@ main(int argc, char *const argv[])
+             fprintf(stderr, "-l ldap url\n");
+             fprintf(stderr, "-b ldap bind path\n");
+             fprintf(stderr, "-s use SSL encryption with Kerberos authentication\n");
++            fprintf(stderr, "-x force use of HTTP/ principal on ms ad 2008\n");
+             fprintf(stderr, "-a allow SSL without cert verification\n");
+             fprintf(stderr, "-m maximal depth for recursive searches\n");
+             fprintf(stderr, "-h help\n");
+Index: helpers/external_acl/kerberos_ldap_group/support.h
+===================================================================
+--- helpers/external_acl/kerberos_ldap_group/support.h.orig	2013-12-30 12:33:27.000000000 +0100
++++ helpers/external_acl/kerberos_ldap_group/support.h	2014-03-15 00:08:50.918686771 +0100
+@@ -97,6 +97,7 @@ struct main_args {
+     int rc_allow;
+     int AD;
+     int mdepth;
++    int brokenad;
+     char *ddomain;
+     struct gdstruct *groups;
+     struct ndstruct *ndoms;
+@@ -156,7 +157,7 @@ int create_nd(struct main_args *margs);
+ int create_ls(struct main_args *margs);
+ 
+ #ifdef HAVE_KRB5
+-int krb5_create_cache(char *domain);
++int krb5_create_cache(struct main_args *margs, char *domain);
+ void krb5_cleanup(void);
+ #endif
+ 
+Index: helpers/external_acl/kerberos_ldap_group/support_ldap.cc
+===================================================================
+--- helpers/external_acl/kerberos_ldap_group/support_ldap.cc.orig	2013-12-30 12:33:27.000000000 +0100
++++ helpers/external_acl/kerberos_ldap_group/support_ldap.cc	2014-03-15 00:14:51.423011652 +0100
+@@ -801,7 +801,7 @@ get_memberof(struct main_args *margs, ch
+         debug((char *) "%s| %s: DEBUG: Setup Kerberos credential cache\n", LogTime(), PROGRAM);
+ 
+ #ifdef HAVE_KRB5
+-        kc = krb5_create_cache(domain);
++        kc = krb5_create_cache(margs,domain);
+         if (kc) {
+             error((char *) "%s| %s: ERROR: Error during setup of Kerberos credential cache\n", LogTime(), PROGRAM);
+         }
diff --git a/squid.changes b/squid.changes
index da34eab..ea7ad5c 100644
--- a/squid.changes
+++ b/squid.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Sun Mar 16 08:54:50 UTC 2014 - boris@steki.net
+
+- added patch to force kerberos principalname handling
+  ( http://bugs.squid-cache.org/show_bug.cgi?id=4042 ) 
+
 -------------------------------------------------------------------
 Sat Mar 15 12:11:30 UTC 2014 - chris@computersalat.de
 
diff --git a/squid.spec b/squid.spec
index 7667215..11a665e 100644
--- a/squid.spec
+++ b/squid.spec
@@ -60,6 +60,8 @@ Patch101:       %{name}-nobuilddates.patch
 ## File is compiled without RPM_OPT_FLAGS
 # squid3 no-rpm-opt-flags <cmdline>:./cf_gen.cc
 Patch102:       %{name}-compiled_without_RPM_OPT_FLAGS.patch
+# patch fixes kerberos principalname handling (http://bugs.squid-cache.org/show_bug.cgi?id=4042)
+Patch103:       squid-3.4.2-brokenad.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 PreReq:         %fillup_prereq
 PreReq:         %insserv_prereq
@@ -136,6 +138,7 @@ perl -p -i -e 's|/usr/local/bin/perl|/usr/bin/perl|' `find -name "*.pl"`
 chmod a-x CREDITS
 %patch101
 %patch102
+%patch103
 
 %build
 export CFLAGS="%{optflags} -fPIE -fPIC -DOPENSSL_LOAD_CONF"
@@ -219,6 +222,7 @@ mv %{buildroot}%{_sbindir}/cachemgr.cgi %{buildroot}/%{_libdir}/%{name}
 install -d -m 755 doc/contrib
 install %{SOURCE6} doc/contrib
 install -D -m 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/pam.d/%{name}
+install -D -m 644 ./helpers/external_acl/kerberos_ldap_group/ext_kerberos_ldap_group_acl.8 %{buildroot}%{_mandir}/man8/ext_kerberos_ldap_group_acl.8
 
 rm -rf %{buildroot}%{squidconfdir}/errors
 for i in errors/*; do