Cloned for documentation impact, refer to Bug # 987684 for implementation details.
You need to establish an Identity store that matches the Kerberos credential. For example if you use FreeIPA/RHIdM you would make the identity store use the LDAP backend and point directly at the associated LDAP/Directory server. The user ID will be calucalted based on the REMOTE_USER field passed through from HTTPD, so mapping it to a field such as the User principal would be simplest.