The current kerberos instructions rely on the trace user falling back to the GENERAL_KERBEROS_KEYTAB when kerberos for client access is enabled. This works as expected on the TraceServer, but the Monitor's servlet for viewing traces only uses the trace keytab.
workaround is to use the undocumented trace.token.property.keytab property to specify the appropriate keytab.
Even once the trace user keytab property is documented in
ACCUMULO-4488, we should make the behavior match that in the TraceServer.