diff --git a/playbooks/groups/logserver.yml b/playbooks/groups/logserver.yml
index f728361170..fa9588bc58 100644
--- a/playbooks/groups/logserver.yml
+++ b/playbooks/groups/logserver.yml
@@ -23,6 +23,12 @@
   - epylog
   - openvpn/client
   - awstats
+  - role: keytab/service
+    owner_user: apache
+    owner_group: apache
+    service: HTTP
+    host: "admin.fedoraproject.org"
+    when: env == "production"
 
   tasks:
   - include: "{{ tasks }}/yumrepos.yml"
diff --git a/roles/epylog/files/epylog-web.conf b/roles/epylog/files/epylog-web.conf
index dc7fe5a0ac..826d4be322 100644
--- a/roles/epylog/files/epylog-web.conf
+++ b/roles/epylog/files/epylog-web.conf
@@ -6,10 +6,13 @@ LoadModule authn_file_module modules/mod_authn_file.so
 
 <Directory /srv/web/epylog>
     Options FollowSymLinks Indexes
-    AuthType Basic
-    AuthName "Fedora Log Server"
-    AuthBasicProvider file
-    AuthUserFile /srv/web/epylog/.htpasswd
-    Require valid-user
+    AuthName "Epylog GSSAPI Login"
+    GssapiCredStore keytab:/etc/krb5.HTTP_admin.fedoraproject.org.keytab
+    AuthType GSSAPI
+    # This is off because Apache (and thus mod_auth_gssapi) doesn't know this is proxied over TLS
+    GssapiSSLonly Off
+    GssapiLocalName on
+    # This should coincide with sysadmin-logs until we have group info
+    Require user codeblock kevin puiterwijk ralph smooge nb cydrobolt
 </Directory>