There may be valid scenarios where the user configured in AD as the principal used in WDSSO has a different UPN to the SPN.
Normally when generating the keytab these values get set to be the same, for example:
...however it's also valid for the the UPN to be different, for example:
In this case if WDSSO auth is attempted then the following will be seen in the logs:
This valid scenario can be allowed to work by setting the JDK isInitiator parameter to false (default is true). This parameter is not currently implemented in the AM WDSSO module.