Hi Joyee, from what you are telling the AD user's SPN is wrong. SPN has to reflect the SNC Name (snc/identity/as)
Just to make it clearer I will tell you the naming conventions we applied to our systems:
snc/identity/as=p:CN=SAPSNC-<SID>-<Installation#>
So system ABC with installation number will have
snc/identity/as=p:CN=SAPSNC-ABC-0012345678
The name of the corresponding AD account is completely arbitrary. In my case it is SAPSNC001@XYZ.COM but this does only matter on sapgenpse command line while creating the keytab.
We set this AD account's servicePrincipalName attribute is set to SAP/SAPSNC-ABC-0012345678. This is essential for the Kerberos handshake.
I am not sure if your error message reflects this issue. So there might be some other errors.
Regards,
Lutz