F5 Kerberos configuration for multiple Domains

For Kerberos Authentication on F5, do we need to use both AAA Kerberos and SSO Kerberos? I am running into the issue for kerberos SSO to work with two domains part of same forest with two way trust. I can access server URL with kerberos and works fine for both domains

 

We have domain1 and domain2 inherited from Domainmain and have two way transitive trusts between forests.

 

Our APM policy as follows: 401->(negotiate)->Kerberos Auth-> SSO Credential Mapping-> Check incoming users domain-> if "@domain1" -> "WEBSSO::select /Common/SSO-domain1" -> domain1-variable-assigned (using split) -> allow if "@domain2" -> "WEBSSO::select /Common/SSO-domain2" -> domain2-variable-assigned (using split) -> allow

 

Since all services resides in domain1 we have service account mapped in domain1 to SPN HTTP/URL.com@domain1. We have user account also in domain2 that we are using in Domain2 SSO configuration with setspn to HTTP/URL.com@domain2

 

It works fine for domain1 user (both AAA kerberos and SSO). AAA Kerberos works fine for domain2 but fails at SSO. Found following in logs:

 

/frontend/kerberos-AP:frontend:c053507b: metadata len 430 /frontend/kerberos-AP:frontend:c053507b: Found HTTP 401 response for SSO configuration '/frontend/SSO-Kerberos-Domain2' type:'kerberos' /frontend/kerberos-AP:frontend:c053507b: Websso Kerberos authentication for user 'User1' using config '/frontend/SSO-Kerberos-Domain2' /frontend/kerberos-AP:frontend:c053507b: adding item to WorkQueue /frontend/kerberos-AP:frontend:c053507b: ctx:0x9f131e8 SPN = HTTP/xyz.com@domain2 S4U ======> /frontend/kerberos-AP:frontend:c053507b: ctx: 0x9f131e8, user: User1@domain2, SPN: HTTP/xyz.com@domain2 /frontend/kerberos-AP:frontend:c053507b: Kerberos: Failed to get ticket for user User1@domain2