I have an interesting problem with Kerberos and our network setup, i'll try
to keep it simple.

Client user is ADDomain1.com/user.
IIS Web Site service account user is ADDomain2.com/serviceuser.
DNS alias points to web site via website.NotAnADDDomain.com.
ADDomain1.com and ADDomain2.com have 2 way full trusts.

The actual URL we want to use is http://website.NotAnADDomain.com (which is
obviously not an AD domain, just domain setup via DNS). So we register the
SPN as:
SetSPN -A HTTP\host1.NotAnADDomain.com ADDomain2.com/serviceuser

So when ADDomain1.com/user talks to ADDomain1.DC (KDC) to get the kerberos
ticket, we get an KDC_ERR_S_PRINCIPAL_UNKNOWN error ("Server not found in
Kerberos database")

I assume that is due to the HTTP\website.NotAnADDomain.com SPN; the
ADDomain1 DC/KDC does not even know to point the ADDomain1.user to
ADDomain2.KDC to get the kerberos ticket. Is that right?

Is there a mapping we can put in that would tell ADDomain1.KDC that when it
gets a request for that SPN/host (website.NotAnADDomain.com), it should point
the client to the DC/KDC in ADDomain2 where the serviceuser account exists?