You can also use the Worker Processes UI inside IIS Manager and inspect the requests that are currently executing and see where they are getting stuck if any.
Open IIS Manager->Click the Server in the Tree->Double Click Worker Processes Icon->Double click the Worker Process that is consuming CPU to see the currently executing requests in real time so that you can see which module is taking time.
Also consider using Failed Request Tracing to track some of the time per request to see where they are taking long time.
(this question is a bit old, but my analysis might help others)
You seem to be missing some understanding and therefore not executing the commands correctly. I'm assuming that your KDC is actually an Active Directory KDC. This is not entirely clear from your description.
Firstly, in active directory kerberos (contrary to standard MIT/Heimdal kerberos) a Service Principal Name (SPN - a service running a machine) needs to be connected to a User Principal Name (UPN, a user siting behind a machine). Hence the mapping.
setspn will add the service principal name to a user by adding the ldap attribute to the cn of the user
ktpass will output your key tab and rewrite the UserPrincipalName to username/fully.qualified.domainname@REALM .
By doing a kinit -k -t key.tab principal a lookup will happen in both the key.tab file and active directory UPN on the principal. If it cannot find the principal in the key tab it will give an error like "Key table entry not found while getting initial credentials". If it cannot be found in the directory it will give "Client not found in Kerberos database while getting initial credentials".
Now to your issue at hand. It seems that you are missing the /princ parameter to ktpass. This is required to actually get the principal in the key tab file and get the mapping right. I wonder what a klist -k keytab gives.
so your lines should be something like (including putting the REALM at the right location:
setspn HTTP/ubuntu-ad.wad.eng.hytrust.com aulfeldt
ktpass /princ HTTP/ubuntu-ad.wad.eng.hytrust.com@WAD.ENG.HYTRUST.COM /out tomcat.keytab /mapuser aulfeldt /crypto ALL /pass * /ptype KRB5_NT_PRINCIPAL
Extra: if you are using SAMBA 4 with the samba-tool to do this you will need to manually change userPrincipalName to (in this case): HTTP/ubuntu-ad.wad.eng.hytrust.com@WAD.ENG.HYTRUST.COM this is because the key tab generation of samba does not update the UPN and hence you will get an error when doing a lookup.
On a side note: an active directory machine name is COMPUTER$ (mark the $). Your's seems off.
Best Answer
Not any more. You sort of answered your own question. It has obviously been decided that there's no need for the original -A functionality of not checking for duplicates any more... but you can't just go willy-nilly ripping the -A out, because someone's script somewhere that was using -A would break.
Adding some official documentation to back up my claim:
http://technet.microsoft.com/en-us/library/hh831747.aspx