Hi Wolfgang,
I reverted to the file based keytab approach, it's not critical. The wizard is great in that we can configure the profile parameters and create the SNC PSE file, and also the SPNego transaction provides the ability to validate the service account credentials.
We are using SAML2 for the web application, and SPNego bypasses SAML2 based on the Default Logon Procedure.
Many thanks,
Jason