APM - How to create a keytab file with multiple SPNs

There are actually two ways (that I know of) to aggregate multiple keys into a single keytab:

1. The first is with ktutil (you’ll need to copy the keytabs to a Linux box, merge, then copy back).

2. The second way, which I think is much easier, uses the “-in” option of the ktpass utility. Follow this link for additional information (under the section "Appending Additional Keytabs to Create the Final Master Keytab File"

   http://fusionsecurity.blogspot.com/2013/02/part-2-how-to-configure-oam11g-wna-for.html

    ktpass -princ HTTP/oam.server.com@FOREST2.PIXIE.COM /
   -mapuser oamkrb5 /
   -pass Oracle123 /
   -ptype KRB5_NT_PRINCIPAL /
   -crypto ALL /
   -in forest1.krb5.keytab /
   -out forest2.krb5.keytab
   
   ** where "-in forest1.krb5.keytab" is the keytab file that contains existing keytabs
   

I can't speak for win2003, but this method definitely works in Win2008R2.

Now, you can add the additional SPNs on the Domain Controllers using the MS tool "setspn" with the "-A" switch no problem against the same service account.

This would probably work if you were using a domain account with IIS. If www1 and www2 are separate hosts on the same domain and you added www as an SPN to each, then you'd have a duplicate SPN in the directory. Also, if www1 and www2 are behind separate VIPs, presumably because you're doing GSLB, you could also probably just create separate keytab files.