Hi Srikanth,
In your case, I think you can create a custom attribute in AD, for instance named "SAPID" to store SAP user ID in AD. For SPNego SSO to AS JAVA, you can choose to map this attribute instead of standard "SAMAccountName" attribute.
For Kerberos SNC to AS ABAP, I guess it may need extra effort for the mapping. You can either map the user manually, or find a tool to do the mapping.
At last I don't think it would be a security issue for users to edit their SNC name in transaction SU01. Imagine you can also change someone else's password, it is a bigger issue you need to consider? 
Best Regards
Chenyang Xiong
