Multiple apps doing kerberos

Cross-realm limitations don't apply as long as the delegation account (used by APM) is in the same realm as the target service. Cross-realm constrained delegation does, however, require the users to be in a transitively trusted realm.

The only other issue is that APM doesn't support cross-realm referrals. It's something that would happen if a user was in a different realm and the current realm sent a referral to that realm (or at least the next realm closest to this realm). So since APM doesn't understand referrals, you have to tell it which realm the user is in. That may be an LDAP query up front in the access policy, either nested queries or a single GC query. Once you know which the realm the user belongs to, you need to use the user's sAMAccountName in that realm as the SSO username source, and the user's realm realm name as the SSO domain source.