APM SSO for different domain joined machines?

I have a scenario and I THINK it may be caused by below issue.

 

I have an app, let's call it MYAPP, which is integrated with F5 APM for SSO using basic/kerberos auth. THe F5 is setup to use a specific domain, let's call it mydomain.com.

 

A machine that is either domain joined to mydomain.com can login to my application fine using 3 major browsers (IE, Chrome and Firefox). When the machine is NOT domain joined, browser will prompt for credentials in all 3 browsers, then log user in fine.

 

What I have noticed is that if a user tries to login using a machine that is joined to a DIFFERENT domain, in Internet Explorer/Chrome, the user will receive the login prompt (as kerberos should fail) but APM denies them access even when they type their username as "mydomain\user". The only exception is Firefox, which allows the user to enter their credentials and still sign in.

 

My question is: 1. Why does this occur? 2. What is the fix? Is there an F5 side fix? Is there a client side fix?

 

Thanks all!!