If you use multiple hostnames to refer to the Java application server (for example, if you use name-based virtual hosting), you should use setspn to create an SPN mapping for each hostname involved.
For example, assume that:
For each of those hostnames, you should map both its fully qualified domain name and its unqualified hostname (short name). If you have a DNS canonical name and one or more DNS aliases, you should set up SPN mappings both for the aliases and for the canonical name.
Thus, for the vsj_appservhost1 account, you should map the following SPNs:
As an alternative to the steps outlined above, Single Sign-on for Java supports integration with Authentication Services to allow you to simplify installation on Authentication Services-enabled UNIX or Linux hosts. The following sections describe how to perform this setup.
The Authentication Services system allows UNIX and Linux users to be authenticated using Active Directory. It provides integration with the UNIX Pluggable Authentication Modules (PAM) and Name Service Switch (NSS) systems.
A system administrator enables Authentication Services on a UNIX host by joining it to the Active Directory domain using the vastool utility. This creates a computer account object in Active Directory along with a host principal and keytab that can be used to authenticate service tickets that are presented to Kerberos/Authentication Services-enabled applications.
Authentication Services keytab files are created in the /etc/opt/quest/vas directory. Each keytab file is named according to the service that uses it. For example, the host principal keys are stored in the /etc/opt/quest/vas/host.keytab file. Authentication Services keytab files are stored using the standard Kerberos keytab file format and may be used by third party applications including Single Sign-on for Java.