APM - Question on Kerberos SSO

I am configuring Kerberos SSO with Active Directory and a back-end server that expects the SPNEGO (OID 1.3.6.1.5.5.2) authorization header.

As per the article below, I need to set Send Authorization = On 401 Status Code in the Kerberos SSO profile.

https://support.f5.com/kb/en-us/solutions/public/13000/500/sol13510

Quote:  "The On 401 Status Code option sends an SPNEGO mechanism type (OID 1.3.6.1.5.5.2) as the authorization request. The BIG-IP system first forwards the user's HTTP request to the web server without inserting a new Authorization header, but any browser's Authorization header will be deleted. If the server requests authentication by responding with a 401 status code, the BIG-IP system retries the request with the Authorization header"

However, as soon I set the option to On 401 Status Code, APM stops making any requests for TGS tickets. No errors in the APM log even in the debug mode. In the log I see that the back-end server responds constantly the "Authorization = Negotiate" however F5 just swallows the response and resends the request without the authorization header.

As soon as I turn the option back to Always, APM starts getting properly the TGS ticket and submits it to the web server, which is refused because the server expects SPNEGO (OID 1.3.6.1.5.5.2) and not KRB5 (OID 1.2.840.113554.1.2.2).

What may cause this behaviour? Why On 401 Status Code prevents APM from getting tickets?