first, the module complain against "failed to verify krb5 credentials: Server not found in Kerberos database"
I've tried to use adsiedit on a DC, and add HTTP/vhost.domain.com as another servicePrincipalName for the mapped user which already contain the SPN for the real host.
The next error which raise up is "gss_acquire_cred() failed: Miscellaneous failure (No principal in keytab matches desired name)"
This is normal, your keytab hasn't been updated to contain the new SPN. But It seems that ktpass.exe cannot export two principals in a keytab, nor, using ktutil on linux to get two keytab in ony works, as the kvno is increased.
The question is: Does windows really use the servicePrincipalName or does it use userPrincipalName? The doc says that only one mapping can be done, so I think it uses the UPN...
So there is no way to use vhost as easely. You have to use another dummy account, and map HTTP/dummyuser2 to the vhost, and store two keytab on apache...
