Can you set Kerberos AAA server via session variable?

Folks, 

I am looking to setup Kerberos so folks do not need to keep entering their credentials and have been doing some testing.     I have a couple test policies setup and assigned to their own VIP.    each policy I have configured a Service account and created a keytab file specifically for the vip it relates to.     Inside the policy I have the specific kerberos AAA server defined which has the keytab file linked to it.   I have been able to get the policies to work as expected and the clients pick up the keberos ticket and successfully authenticate.

The challenge I face is that we have an awful lot of vips and tend to share logon policies and do not want to have a logon policy per app so I am looking for a way to keep it as simple as possible.

I tried in vain to create a *.domain  keytab and spn  and that didn't work,     I have tried and succeeded adding multiple keytabs together and while it did work,   the volume of apps,  I'll mess it up somewhere and it would be impractical

the theory I have is that if I made an ad service account per app,  create a keytab per app,  create a kerberos AAA server per app with the name of the AAA server the same as the vip,   I could create a common logon policy,   read the variable of what VIP I am trying to access,   use that variable as the kerberos AAA server name and have the logon process check against that SPN.

thoughts??   is there a more simple way of doing this?