You have configured the KDC and UME as required.
For more information, see Configuring Kerberos Authentication .
AS Java needs to map the Kerberos Principal Name (KPN) to a UME user. When you configure Kerberos authentication, you can configure this mapping by choosing from the following mapping modes:
Principal only
User is resolved using only the principal part of the Kerberos Principal Name (KPN). The principal token is mapped to the logon ID, the logon alias, or another UME attribute of the user.
Principal@REALM
User is resolved using the full KPN as a single token. The KPN is mapped to the logon ID, the logon alias, or another UME attribute of the user, or to a virtual user. A virtual user does not exist permanently in the UME database. It is temporarily created, on request, for a single session. Its access rights are determined by the default roles and groups you specify.
Principal and REALM
User is resolved by the KPN, split into principal and realm tokens. For the ADS data source, the user mapping is automatic. Otherwise, both tokens are mapped to UME attributes.