change username/domain in APM for AD auth

Hi all, we want to replace an existing website (reverse-proxy TMG) by F5 APM.

At the moment all users logs in via DOMAIN\user - this should be done the same on APM. We use AD Authentication via Kerberos.

Now I tried to use "Split domain from full Username" on Logon Page, but this only allows the input in the way of user@DOMAIN.

So I created an irule to split Domain name from user:

when ACCESS_POLICY_AGENT_EVENT {  
   if {[ACCESS::policy agent_id] eq "domain_split"} {  
    set username [string tolower [ACCESS::session data get session.logon.last.username]]  
    set user [getfield $username "/" 2]  
    set domain [getfield $username "/" 1]  
    ACCESS::session data set   session.logon.last.logonname $user  
    ACCESS::session data set session.logon.last.username $user  
    ACCESS::session data set session.logon.last.domain $domain  
  }  
}

This works great, because I also do a domain check in the VPE after the irule to authenticate against different ADs.

Branch rules are configured like:

expr { [mcget {session.logon.last.domain}] eq "domain1" }

This also works fine, but when I get to the AD Auth, I see in debug log, that the Kerberos request is done with DOMAIN\user@DOMAIN, which fails.

I do not know, where the DOMAIN\user comes from at this stage. - which variable is used for the kerberos request?

When I check Session Variables on Reporting I see all variables set as needed.

I also read multiple Devcentral articles on this issue and I don't get it why, this doesn't work.

Thanks in advance,

Philipp