Single Sign-on for Java makes use of a number of Active Directory constructs and objects in its Kerberos-related operations that involve:
User Principal Names and Service Principal Names are recorded in Active Directory and can be used as a way of referring to a client or a service within Kerberos. Active Directory can find full user account details for a UPN or SPN by searching its records for the account that has that name property listed as one of its object attributes.
The UPN must be unique throughout the Active Directory forest.
The UPN is the name that appears in the Kerberos Ticket Granting Ticket (TGT) returned by Active Directory for a client.
The SPN is used when requesting a Kerberos ticket for a particular service. The client browser uses the hostname from the request URL to construct this SPN value. This SPN value is used to request a service ticket from Active Directory. You will typically need to map an SPN to an Active Directory account using the setspn tool.