APM Kerberos SSO between front-end and back-end servers

Your image is missing, but I think I understand what you're talking about. If I'm correct, you need to do APM Kerberos to the web server AND Kerberos from the web server to the backend server (using the same account). Yes?

If so, that's actually pretty straight forward and it's called a Kerberos delegation "double hop". Very simply, in order for Kerberos to "hop" from front to back, and in a delegated environment, EACH STEP ALONG THE WAY MUST BE DELEGATED. APM Kerberos SSO does Kerberos protocol transition to the delegation account and constrained delegation to the target service through the delegation account. You therefore have to configure the web server to do constrained delegation to the backend servers. For AD-based services this generally just means configuring the web server to be able to delegate to the SPNs of the backend services.