When you say "create an SPN for this dns name and
with the userid being used to configure kerberos" which userid are you referring too? In our environment we have four servers which are load balanced. Kerberos based SSO is working on each individual server but is failing when going through the virtual ip. We have an AD user which corresponds to each physical machine. I believe the setspn command was then run for each of these users specifying the corresponding dns name of that server.
Does that mean we should then create another AD user to represent the load balancer and run setspn specifying the virtual ip and the AD user we set up? Do you know if this AD user would have to be marked as an eligible delegate?