Kerberos SSO with alternative UPN

Kulastone, your problem may actually be different than the originator's. The original problem is that APM Kerberos does not (yet) support enterprise canonical referrals. This is where a Kerberos client, understanding that the realm name doesn't match a known realm, will send an enterprise canonical request to its local KDC. The KDC will then go find the user (via global catalog and/or LDAP search) and return a referral (like a CNAME for Kerberos) telling the client where the user lives. I've heard that it's coming soon, but can't say when. A common workaround is to simply perform your own LDAP search and use the returned sAMAccountName and real domain realm in your Kerberos SSO (instead of the userPrincipalName). Works like a charm. Otherwise I wouldn't really say cross-domain Kerberos with APM is all that challenging - no more so than Kerberos itself. As long as 1) you use the real realm names of the users, 2) the delegation account is in the SAME REALM as the resource, 3) there is a two-way transitive trust between the domains (a protocol requirement), and 4) APM knows how to talk to these realms, you should be good to go.

As for your issue, can you elaborate?