SamWalker Here is a document I created based on Linux policy server, AD as KDC and Apache web server hosting the protected resource.
I know your post is almost a year old however I know it will be a good reference to the community.
Jack, your paper is based on Windows 2012 as the KDC platform. My customer environment will have Win 2008 R2 as the KDC platform. I difference I have noted is that, per the TechNet link provided below, is that options for the 'ktpass' command run on the Windows Server 2008, 2008 R2 and 2012 should be designated with a slash ("/") rather than a dash ("-").
So, for example, the name of the keytab output file created by the ktpass command should be designated by the option "/out" rather than "-out".