diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java
index a97463ac881..899b6c44dc7 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java
@@ -45,7 +45,6 @@ import java.io.InputStream;
 import java.io.OutputStream;
 import java.io.OutputStreamWriter;
 import java.io.Writer;
-import java.lang.reflect.UndeclaredThrowableException;
 import java.net.HttpURLConnection;
 import java.net.SocketTimeoutException;
 import java.net.URI;
@@ -401,8 +400,6 @@ public class KMSClientProvider extends KeyProvider implements CryptoExtension,
       });
     } catch (IOException ex) {
       throw ex;
-    } catch (UndeclaredThrowableException ex) {
-      throw new IOException(ex.getUndeclaredThrowable());
     } catch (Exception ex) {
       throw new IOException(ex);
     }
diff --git a/hadoop-common-project/hadoop-kms/src/site/apt/index.apt.vm b/hadoop-common-project/hadoop-kms/src/site/apt/index.apt.vm
index 682f4795d89..5fded9282c7 100644
--- a/hadoop-common-project/hadoop-kms/src/site/apt/index.apt.vm
+++ b/hadoop-common-project/hadoop-kms/src/site/apt/index.apt.vm
@@ -602,31 +602,7 @@ $ keytool -genkey -alias tomcat -keyalg RSA
 
 *** HTTP Kerberos Principals Configuration
 
-  When KMS instances are behind a load-balancer or VIP, clients will use the
-  hostname of the VIP. For Kerberos SPNEGO authentication, the hostname of the
-  URL is used to construct the Kerberos service name of the server,
-  <<<HTTP/#HOSTNAME#>>>. This means that all KMS instances must have have a
-  Kerberos service name with the load-balancer or VIP hostname.
-
-  In order to be able to access directly a specific KMS instance, the KMS
-  instance must also have Kebero service name with its own hostname. This is
-  require for monitoring and admin purposes.
-
-  Both Kerberos service principal credentials (for the load-balancer/VIP
-  hostname and for the actual KMS instance hostname) must be in the keytab file
-  configured for authentication. And the principal name specified in the
-  configuration must be '*'. For example:
-
-+---+
-  <property>
-    <name>hadoop.kms.authentication.kerberos.principal</name>
-    <value>*</value>
-  </property>
-+---+
-
-  <<NOTE:>> If using HTTPS, the SSL certificate used by the KMS instance must
-  be configured to support multiple hostnames (see Java 7
-  <<<keytool>> SAN extension support for details on how to do this).
+  TBD
 
 *** HTTP Authentication Signature
 
diff --git a/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java b/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java
index 42afe19a73f..cdb3c7f5098 100644
--- a/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java
+++ b/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java
@@ -32,7 +32,6 @@ import org.apache.hadoop.minikdc.MiniKdc;
 import org.apache.hadoop.security.Credentials;
 import org.apache.hadoop.security.SecurityUtil;
 import org.apache.hadoop.security.UserGroupInformation;
-import org.apache.hadoop.security.authentication.client.AuthenticationException;
 import org.apache.hadoop.security.authorize.AuthorizationException;
 import org.apache.hadoop.security.ssl.KeyStoreTestUtil;
 import org.junit.AfterClass;
@@ -210,7 +209,6 @@ public class TestKMS {
     keytab = new File(kdcDir, "keytab");
     List<String> principals = new ArrayList<String>();
     principals.add("HTTP/localhost");
-    principals.add("HTTP/127.0.0.1");
     principals.add("client");
     principals.add("hdfs");
     principals.add("otheradmin");
@@ -253,8 +251,8 @@ public class TestKMS {
     }
   }
 
-  public void testStartStop(final boolean ssl, final boolean kerberos,
-      final boolean multipleServerPrincipals) throws Exception {
+  public void testStartStop(final boolean ssl, final boolean kerberos)
+      throws Exception {
     Configuration conf = new Configuration();
     if (kerberos) {
       conf.set("hadoop.security.authentication", "kerberos");
@@ -280,12 +278,7 @@ public class TestKMS {
       conf.set("hadoop.kms.authentication.type", "kerberos");
       conf.set("hadoop.kms.authentication.kerberos.keytab",
           keytab.getAbsolutePath());
-      if (multipleServerPrincipals) {
-        conf.set("hadoop.kms.authentication.kerberos.principal", "*");
-      } else {
-        conf.set("hadoop.kms.authentication.kerberos.principal",
-            "HTTP/localhost");
-      }
+      conf.set("hadoop.kms.authentication.kerberos.principal", "HTTP/localhost");
       conf.set("hadoop.kms.authentication.kerberos.name.rules", "DEFAULT");
     }
 
@@ -298,42 +291,21 @@ public class TestKMS {
         URL url = getKMSUrl();
         Assert.assertEquals(keystore != null,
             url.getProtocol().equals("https"));
+        final URI uri = createKMSUri(getKMSUrl());
 
         if (kerberos) {
           for (String user : new String[]{"client", "client/host"}) {
             doAs(user, new PrivilegedExceptionAction<Void>() {
               @Override
               public Void run() throws Exception {
-                URI uri = createKMSUri(getKMSUrl());
-                KeyProvider kp = new KMSClientProvider(uri, conf);
+                final KeyProvider kp = new KMSClientProvider(uri, conf);
                 // getKeys() empty
                 Assert.assertTrue(kp.getKeys().isEmpty());
-
-                if (!ssl) {
-                  String url = getKMSUrl().toString();
-                  url = url.replace("localhost", "127.0.0.1");
-                  uri = createKMSUri(new URL(url));
-                  if (multipleServerPrincipals) {
-                    kp = new KMSClientProvider(uri, conf);
-                    // getKeys() empty
-                    Assert.assertTrue(kp.getKeys().isEmpty());
-                  } else {
-                    kp = new KMSClientProvider(uri, conf);
-                    try {
-                      kp.getKeys().isEmpty();
-                      Assert.fail();
-                    } catch (IOException ex) {
-                      Assert.assertEquals(AuthenticationException.class,
-                          ex.getCause().getClass());
-                    }
-                  }
-                }
                 return null;
               }
             });
           }
         } else {
-          URI uri = createKMSUri(getKMSUrl());
           KeyProvider kp = new KMSClientProvider(uri, conf);
           // getKeys() empty
           Assert.assertTrue(kp.getKeys().isEmpty());
@@ -345,27 +317,22 @@ public class TestKMS {
 
   @Test
   public void testStartStopHttpPseudo() throws Exception {
-    testStartStop(false, false, false);
+    testStartStop(false, false);
   }
 
   @Test
   public void testStartStopHttpsPseudo() throws Exception {
-    testStartStop(true, false, false);
+    testStartStop(true, false);
   }
 
   @Test
   public void testStartStopHttpKerberos() throws Exception {
-    testStartStop(false, true, false);
+    testStartStop(false, true);
   }
 
   @Test
   public void testStartStopHttpsKerberos() throws Exception {
-    testStartStop(true, true, false);
-  }
-
-  @Test
-  public void testStartStopHttpsKerberosMultiplePrincipals() throws Exception {
-    testStartStop(false, true, true);
+    testStartStop(true, true);
   }
 
   @Test
@@ -1373,8 +1340,7 @@ public class TestKMS {
           KeyProvider kp = new KMSClientProvider(uri, conf);
           kp.createKey("kA", new KeyProvider.Options(conf));
         } catch (IOException ex) {
-          Assert.assertEquals(AuthenticationException.class,
-              ex.getCause().getClass());
+          System.out.println(ex.getMessage());
         }
 
         doAs("client", new PrivilegedExceptionAction<Void>() {