Your command is not incorrect
mapuser will be required if you are doing end to end SSO.
i feel the user name and domain name which are typing have some typo
you can try this:-
ktpass -out bosso.keytab -princ BICMS/user@DOMAIN.COM–mapuser user@DOMAIN.COM–pass ****** -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT
without mapuser
ktpass -out bosso.keytab -princ user@DOMAIN.COM–pass ******** -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT
Run this command on your Domain controller server.