APM Kerberos/SPNEGO to Tomcat (CAS)

APM Kerberos does protocol transition, so it doesn't really matter what the external URL is. You can use a single internal account, but it's recommended to have two separate accounts - one for the service itself and one for the delegation account to access the service. The delegation account is used by APM to request an S4U ticket to the service and its name is arbitrary (but unique). So for example,

Your delegation account might be HOST/krb.company.local@COMPANY.LOCAL

Your service account would be HTTP/castst.company.com@COMPANY.LOCAL

And the delegation account would be configured to delegate to the service account (with the "any protocol" option to enable S4U).