502 (bad gateway) error with Kerberos SSO in "Clientless" mode when authenticating with WCF services

At runtime Kerberos SSO needs to know a Realm (domain) and a UPN (username), so your clientless-mode session must be able to provide correct values into the APM session variables session.sso.token.username and session.logon.last.domain. 

To troubleshoot this, I'd just enable debug logging on SSO and session, then just compare a test from each line-by-line and see where it falls over. Kerberos S4U is somewhat complicated. We have a few articles on troubleshooting it:

https://my.f5.com/manage/s/article/K59350434

https://my.f5.com/manage/s/article/K40119818