APM Kerberos SSO profile problem with TGS-REQ

It's interesting that you're getting a timing error but possibly not actually submitting a Kerberos request. Do you have the ability to run WireShark some place where the Kerberos traffic can be seen? It's simplest if you can put it on the DC, but not everyone has that luxury. You can technically dump the data from tcpdump on an inside interface of the LTM, and then import into WireShark, but however you get it there, this tool will give you the most insight into what that Kerberos traffic actually looks like. What you'll want to look for is Kerberos (port 88) and DNS (port 53) traffic coming from the LTM to the DC. I've seen DNS responses foul things up, but if there's anything like a delegation, timing, or encryption issues, you'll see that in the capture. Because I don't really see any SSO information in the logs, it's very likely that something like reverse DNS could be involved.