diff --git a/examples/kerberos/src/main/java/org/keycloak/example/kerberos/GSSCredentialsClient.java b/examples/kerberos/src/main/java/org/keycloak/example/kerberos/GSSCredentialsClient.java
index 19fbf910c0..3017b1e7a3 100644
--- a/examples/kerberos/src/main/java/org/keycloak/example/kerberos/GSSCredentialsClient.java
+++ b/examples/kerberos/src/main/java/org/keycloak/example/kerberos/GSSCredentialsClient.java
@@ -24,9 +24,9 @@ import org.keycloak.util.KerberosSerializationUtils;
  *
  * We can use GSSCredential to further GSS API calls . Note that if you will use GSS API directly, you can
  * attach GSSCredential when creating GSSContext like this:
- * GSSContext context = gssManager.createContext(serviceName, krb5Oid, deserializedGssCredFromKeycloakAccessToken, GSSContext.DEFAULT_LIFETIME);
+ * GSSContext context = gssManager.createContext(serviceName, KerberosSerializationUtils.KRB5_OID, deserializedGssCredential, GSSContext.DEFAULT_LIFETIME);
  *
- * In this example we will authenticate with GSSCredential against LDAP server, which calls GSS API under the hood
+ * In this example we authenticate against LDAP server, which calls GSS API under the hood when credential is attached to env under Sasl.CREDENTIALS key
  *
  * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
  */
@@ -38,10 +38,10 @@ public class GSSCredentialsClient {
         String username = accessToken.getPreferredUsername();
 
         // Retrieve kerberos credential from accessToken and deserialize it
-        String serializedGssCredential = (String) keycloakPrincipal.getKeycloakSecurityContext().getToken().getOtherClaims().get(KerberosConstants.GSS_DELEGATION_CREDENTIAL);
-        GSSCredential gssCredential = KerberosSerializationUtils.deserializeCredential(serializedGssCredential);
+        String serializedGssCredential = (String) accessToken.getOtherClaims().get(KerberosConstants.GSS_DELEGATION_CREDENTIAL);
+        GSSCredential deserializedGssCredential = KerberosSerializationUtils.deserializeCredential(serializedGssCredential);
 
-        // First try to invoke without gssCredential. It should fail
+        // First try to invoke without gssCredential. It should fail. This is here just for illustration purposes
         try {
             invokeLdap(null, username);
             throw new RuntimeException("Not expected to authenticate to LDAP without credential");
@@ -49,7 +49,7 @@ public class GSSCredentialsClient {
             System.out.println("GSSCredentialsClient: Expected exception: " + nse.getMessage());
         }
 
-        return invokeLdap(gssCredential, username);
+        return invokeLdap(deserializedGssCredential, username);
     }
 
     private static LDAPUser invokeLdap(GSSCredential gssCredential, String username) throws NamingException {
diff --git a/examples/kerberos/src/main/webapp/index.jsp b/examples/kerberos/src/main/webapp/index.jsp
index 933b1d5f57..c1df8f0878 100644
--- a/examples/kerberos/src/main/webapp/index.jsp
+++ b/examples/kerberos/src/main/webapp/index.jsp
@@ -20,7 +20,7 @@
     String logoutUri = KeycloakUriBuilder.fromUri("/auth").path(ServiceUrlConstants.TOKEN_SERVICE_LOGOUT_PATH)
             .queryParam("redirect_uri", "/kerberos-portal").build("kerberos-demo").toString();
 %>
-        <b>List of users from LDAP</b> | <a href="<%=logoutUri%>">Logout</a><br />
+        <b>Details about user from LDAP</b> | <a href="<%=logoutUri%>">Logout</a><br />
         <hr />
 <%
     try {
@@ -30,7 +30,7 @@
         out.println("<p>sn: <b>" + ldapUser.getSn() + "</b></p>");
     } catch (Exception e) {
         e.printStackTrace();
-        out.println("<b>There was a failure invoking LDAP. Check server.log for more details</b>");
+        out.println("<b>There was a failure in retrieve GSS credential or invoking LDAP. Check server.log for more details</b>");
     }
 %>
     </body>