diff --git a/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/ctaeos-mgm.sh b/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/ctaeos-mgm.sh
index f5f1a646a8ab4dd12fab4686e39e1e726330abac..73ac3c6c34cb74365f6ec1901b588909e3456b54 100755
--- a/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/ctaeos-mgm.sh
+++ b/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/ctaeos-mgm.sh
@@ -34,7 +34,6 @@ eoshost=`hostname -f`
 EOS_INSTANCE=`hostname -s`
 TAPE_FS_ID=65535
 CTA_BIN=/usr/bin/eoscta_stub
-CTA_KT=/etc/cta/cta-cli.sss.keytab
 CTA_XrdSecPROTOCOL=sss
 CTA_PROC_DIR=/eos/${EOS_INSTANCE}/proc/cta
 CTA_WF_DIR=${CTA_PROC_DIR}/workflow
diff --git a/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/ctafrontend.sh b/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/ctafrontend.sh
index a8e7e59f059792e243f98d61cbeffcffca51b982..18d31d8775f4f32d816b7a7c6f3172c7dd8046ec 100755
--- a/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/ctafrontend.sh
+++ b/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/ctafrontend.sh
@@ -30,13 +30,6 @@ echo ${DATABASEURL} >/etc/cta/cta-catalogue.conf
 # EOS INSTANCE NAME used as username for SSS key
 EOSINSTANCE=ctaeos
 
-# Create SSS key for cta-cli, must be forwardable in kubernetes realm (this is what the + is for)
-# USER IN THE SSS FILE IS THE EOS INSTANCE NAME THE REST IS BS
-echo y | xrdsssadmin -k cta-cli+ -u ${EOSINSTANCE} -g cta add /etc/cta/cta-cli.sss.keytab
-chmod 600 /etc/cta/cta-cli.sss.keytab
-chown cta /etc/cta/cta-cli.sss.keytab
-# DO NOT FORGET THAT YOU CAN DEFINE SEPARATE CLIENT AND SERVER KEYTABS
-
 # Wait for the keytab file to be pushed in by the creation script.
 echo -n "Waiting for /etc/cta/cta-frontend.krb5.keytab"
 for ((;;)); do test -e /etc/cta/cta-frontend.krb5.keytab && break; sleep 1; echo -n .; done
diff --git a/continuousintegration/orchestration/create_instance.sh b/continuousintegration/orchestration/create_instance.sh
index 87c76607d8fa0807e7b9a3b5b985b9d8ca82674b..d7fb5217ae4711166c5f153e9ad3874f9da7c7fc 100755
--- a/continuousintegration/orchestration/create_instance.sh
+++ b/continuousintegration/orchestration/create_instance.sh
@@ -275,16 +275,15 @@ kubectl --namespace=${instance} exec ctacli klist
 echo -n "Configuring cta SSS for ctafrontend access from ctaeos"
 for ((i=0; i<300; i++)); do
   echo -n "."
-  [ "`kubectl --namespace=${instance} exec ctafrontend -- bash -c "[ -f /etc/cta/cta-cli.sss.keytab ] && echo -n Ready || echo -n Not ready"`" = "Ready" ] && break
+  [ "`kubectl --namespace=${instance} exec ctaeos -- bash -c "[ -f /etc/eos.keytab ] && echo -n Ready || echo -n Not ready"`" = "Ready" ] && break
   sleep 1
 done
-[ "`kubectl --namespace=${instance} exec ctafrontend -- bash -c "[ -f /etc/cta/cta-cli.sss.keytab ] && echo -n Ready || echo -n Not ready"`" = "Ready" ] || die "TIMED OUT"
-# just in case /etc/cta directory does not exist yet
-kubectl --namespace=${instance} exec -i ctaeos --  bash -c "mkdir -p /etc/cta"
-kubectl --namespace=${instance} exec ctafrontend -- cat /etc/cta/cta-cli.sss.keytab | kubectl --namespace=${instance} exec -i ctaeos --  bash -c "cat > /etc/cta/cta-cli.sss.keytab; chmod 600 /etc/cta/cta-cli.sss.keytab; chown daemon /etc/cta/cta-cli.sss.keytab"
+[ "`kubectl --namespace=${instance} exec ctaeos -- bash -c "[ -f /etc/eos.keytab ] && echo -n Ready || echo -n Not ready"`" = "Ready" ] || die "TIMED OUT"
+kubectl --namespace=${instance} exec ctaeos -- grep ${EOSINSTANCE} /etc/eos.keytab | sed "s/daemon/${EOSINSTANCE}/g" |\
+kubectl --namespace=${instance} exec -i ctafrontend -- \
+bash -c "cat > /etc/cta/eos.sss.keytab; chmod 400 /etc/cta/eos.sss.keytab; chown cta:cta /etc/cta/eos.sss.keytab"
 echo OK
 
-
 echo -n "Waiting for EOS to be configured"
 for ((i=0; i<300; i++)); do
   echo -n "."
diff --git a/xroot_plugins/cta-frontend-xrootd.conf b/xroot_plugins/cta-frontend-xrootd.conf
index a16ff1431001c385335717881a5c10ab8ac653ea..3bcbffe0e058bb16113df4a60f719a012273edb6 100644
--- a/xroot_plugins/cta-frontend-xrootd.conf
+++ b/xroot_plugins/cta-frontend-xrootd.conf
@@ -23,7 +23,7 @@ xrootd.seclib libXrdSec.so
 # Protocol specification
 # The xroot server process needs to be able to read the keytab file
 sec.protocol krb5 /etc/cta/cta-frontend.krb5.keytab cta/cta-frontend@TEST.CTA
-sec.protocol sss -s /etc/cta/cta-cli.sss.keytab
+sec.protocol sss -s /etc/cta/eos.sss.keytab
 
 # Only Kerberos 5 and sss are allowed
 sec.protbind * only sss krb5