APM- Kerberos AAA authentication

Hi I configured Kerberos-AAA server in my lab to transparently authenticate users via micrsoft kerberos in the way to access iis web server "which run on AD server" according to this link >

 

But it didn't work till i changed "DefaultAppPool" identity option from "ApplicationPoolIdentity" to use the same service account where my SPN " FQDN' is registered

 

 

otherwise i get below error in wireshark "notice SnameString value is the computer name not spn"

 

 

Now i want to implement that at customer but he can't change "DefaultAppPool" identity option from ''ÄpplicationPoolIdentity" to use the same service account where my SPN is registered, what is the solution for that?

 

Correct me if i'm wrong, ''ÄpplicationPoolIdentity" uses the computer account, so i can register my HTTP/SPN on same computer instead of separate service account , but in this case how to create a "Keytab"file using the computer instead of service account? and will it work ?