We have a tomcat server using spring-security kerberos to authenticate users to the webpage against active directory.

There are around 25 domain controllers.

The site has two CNAME based DNS aliases.

The site currently has one Service ID with SPNs registered for the DNS A record as well as each of the CNAMEs.

While everything is working right now, I don't know how to reliably change this configuration without possible downtime.

The reason is that clients cache kerberos tickets:

http://www.juniper.net/techpubs/en_US/uac4.2/topics/concept/user-role-active-directory-about.html

The 'kerbtray.exe' program is helpful for viewing and deleting Kerberos tickets on the endpoint. Old tickets must be purged from the endpoint if SPNs are updated or passwords are changed (assuming the endpoint still has a cached copy of the ticket from a prior SPNEGO request to the MAG Series device. During testing, you should purge tickets before each authentication request.

Description of "klist" program used to inspect/delete cached tickets: http://technet.microsoft.com/en-us/library/hh134826.aspx

So if each of the clients (users running windows) who connect to my web server have kerberos tickets that become invalid as soon as I update the SPNs or passwords, how do I ensure changes are seamless? Are there any operations that can be done safely? I can't just ask all of the users to install klist and delete their old tickets.