With help from Automic Support & Development, I have finally made some progress on this. I documented my findings in my original discussion thread on this topic:
With the benefit of the new information provided by Automic, I can now answer some of the questions I posed earlier:
Q1. What keys should be in the keytab file?
A1. All keys should be in the same keytab file.
Q2. Does the keytab have to be installed on the AWI server?
A2. No. If the nodes running the AWI server are different from the nodes running the Automation Engine, then the keytab does
not need to be installed on the AWI nodes. The keytab needs to be installed only on the nodes that run the Automation Engine. The full path to this file is specified in
KEYTAB in UC_KDC_SETTINGS.
Q3. Must the AWI run as a particular user? (That is, must there be a relationship between the user that runs the AWI and the user associated with an AWI key in the keytab?)
A3. No. The AWI can run as any user.
Q4. Is it possible to enable SSO for both the Java User Interface and the Automic Web Interface at the same time?
A4. Yes.