We have a similar setup (users need to be authenticated to multiple back end applications), we are trying to do KCD but here is my confusion. We use lots of "easy to remember" aliases for sites not their computer names for users to access. For example - time recording site is "timekeeping.ourdomain.com" instead of the server name which is siteabbrfunctionnumber .int.ourdomain.com. So when reading about this in provisioning the service account and adding spns, I did select their computer names from AD and added to the account. However upon further reading, it would seem I need to set the spn's for the aliases as well, but cant do that through the gui so need to add them command line? Before I do that, this is the error I am getting:
Dec 14 17:50:53 nmnbig02 err websso.5[14574]: 014d0024:3: /Common/int-wso-idp:Common:a2baa8d5: Kerberos: Failed to get ticket for user @INT.OURDOMAIN.COM
Dec 14 17:50:53 nmnbig02 err websso.5[14574]: 014d0048:3: /Common/int-wso-idp:Common:a2baa8d5: failure occurred when processing the work item
So if it couldnt get a ticket its because there wasnt a match for the spn right? Please forgive my ignorance I am new to Kerb. Also is there a good primer for Kerb that you would recommend?
Thanks in Advance