SSSD container fails to install with 401 HTTP error

Issue

During the installation of the containerised SSSD the ipa-client-install script fails

   [root@atomic ~]# atomic install rhel7/sssd              
docker run --rm=true --privileged --net=host -v /:/host -e NAME=sssd -e IMAGE=rhel7/sssd -e HOST=/host rhel7/sssd /bin/install.sh
Initializing configuration context from host ...
Discovery was successful!
Client hostname: atomic.internal.local
Realm: INTERNAL.LOCAL
DNS Domain: internal.local
IPA Server: ipa-atomic.internal.local
BaseDN: dc=internal,dc=local
Skipping synchronizing time with NTP server.
Downloading the CA certificate via HTTP, this is INSECURE
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=INTERNAL.LOCAL
    Issuer:      CN=Certificate Authority,O=INTERNAL.LOCAL
    Valid From:  Wed Jun 28 09:52:34 2017 UTC
    Valid Until: Sun Jun 28 09:52:34 2037 UTC

Joining realm failed: HTTP response code is 401, not 200

Use ipa-getkeytab to obtain a host principal for this server.
Please make sure the following ports are opened in the firewall settings:
     TCP: 80, 88, 389
     UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly after enrollment:
     TCP: 464
     UDP: 464, 123 (if NTP enabled)
Failed to obtain host TGT: Major (851968): Unspecified GSS failure.  Minor code may provide more information, Minor (2529639107): No credentials cache found

Installation failed. Force set so not rolling back changes.